hsqldb (2.7.1-1) [PTS] [DDPO]

OK: VCS matches the version in the archive

Git: https://salsa.debian.org/java-team/hsqldb.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: master
Path: debian/changelog
Repo size: 42885120
Browser: https://salsa.debian.org/java-team/hsqldb
Last scan: 2023-06-07 04:50:10+00
Next scan: 2023-06-13 22:58:00+00

Debian changelog in Git:

hsqldb (2.7.1-1) unstable; urgency=medium

  * New upstream version 2.7.1.
    - Fix CVE-2022-41853:
      Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb
      (HyperSQL DataBase) to process untrusted input may be vulnerable to a
      remote code execution attack. By default it is allowed to call any static
      method of any Java class in the classpath resulting in code execution.
      The issue can be prevented by updating to 2.7.1 or by setting the system
      property "hsqldb.method_class_names" to classes which are allowed to be
      called. For example, System.setProperty("hsqldb.method_class_names",
      "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used.
      From version 2.7.1 all classes by default are not accessible except those
      in java.lang.Math and need to be manually enabled.
      (Closes: #1023573)

 -- Markus Koschany <apo@debian.org>  Sun, 04 Dec 2022 21:32:57 +0100

This branch is even with tag debian/2.7.1-1