As for the fix, I'd fixed the part which: "When using JDBCAuthProvider instead of DefaultAuthProvider, the Update Password feature fails due to wrong JDBC API call i.e. executeQuery on UPDATE queries, in the source code."
patch is just a few lines, but probably needs revision by someone
It suprises me that no-one complained about this one before. Applied fix.