hsqldb (2.7.1-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/java-team/hsqldb.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 42885120
- Browser: https://salsa.debian.org/java-team/hsqldb
- Last scan: 2023-06-07 04:50:10+00
- Next scan: 2023-06-13 22:58:00+00
- Debian changelog in Git:
hsqldb (2.7.1-1) unstable; urgency=medium
* New upstream version 2.7.1.
- Fix CVE-2022-41853:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb
(HyperSQL DataBase) to process untrusted input may be vulnerable to a
remote code execution attack. By default it is allowed to call any static
method of any Java class in the classpath resulting in code execution.
The issue can be prevented by updating to 2.7.1 or by setting the system
property "hsqldb.method_class_names" to classes which are allowed to be
called. For example, System.setProperty("hsqldb.method_class_names",
"abc") or Java argument -Dhsqldb.method_class_names="abc" can be used.
From version 2.7.1 all classes by default are not accessible except those
in java.lang.Math and need to be manually enabled.
(Closes: #1023573)
-- Markus Koschany <apo@debian.org> Sun, 04 Dec 2022 21:32:57 +0100
- This branch is even with tag debian/2.7.1-1