-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 10 Dec 2022 15:13:19 CET Source: hsqldb Architecture: source Version: 2.4.1-2+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: b18bc9a180f7e92a18285b3b7c756b015546bd99 2264 hsqldb_2.4.1-2+deb10u1.dsc 8b586e05e2935a60fe13e6c4ba9c3feddab50351 3439220 hsqldb_2.4.1.orig.tar.xz 592719d8d409c7bc86b4e464913aa3ace1d37901 11860 hsqldb_2.4.1-2+deb10u1.debian.tar.xz 9049bc59aa3c983154c0c387b7d9ed85348b0d19 11889 hsqldb_2.4.1-2+deb10u1_amd64.buildinfo Checksums-Sha256: e7c57918da382e59557e630ae8b9a0aad175d290b47a6f5a87e5345fbc60c559 2264 hsqldb_2.4.1-2+deb10u1.dsc 250ec3165909ad8828745f492745bd0971b08d56e92c18021802e9c510ecd385 3439220 hsqldb_2.4.1.orig.tar.xz 3ca9e81879b0069d41c3be3b936acb186ee9d14d7b73153dc4b911e69661097f 11860 hsqldb_2.4.1-2+deb10u1.debian.tar.xz 8edd878a4fd04807a6f36a35effde8f00fbc9f2b17cb8cbe700111579c1797b7 11889 hsqldb_2.4.1-2+deb10u1_amd64.buildinfo Changes: hsqldb (2.4.1-2+deb10u1) buster-security; urgency=high . * Team upload. * Fix CVE-2022-41853: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.4.1-2+deb10u1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.4.1-2+deb10u1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. Files: 948503d612470ad4fdfe08b1ed1f2541 2264 libs optional hsqldb_2.4.1-2+deb10u1.dsc 43dcaf94f55df5ce138105e94586ea64 3439220 libs optional hsqldb_2.4.1.orig.tar.xz 64de275c8594b82369ad477a77336457 11860 libs optional hsqldb_2.4.1-2+deb10u1.debian.tar.xz dbbfceb9896cc64338c4f4f76cee065a 11889 libs optional hsqldb_2.4.1-2+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOUlBJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkSYgQAKpuKdhP0tD7DRymHogY3SJKWGIaSEiHeGNC LDmP1ioDSa/0Xr+3j7QwkoEEGn0+bN75fjlncWwl7fskb44EAl5CpP80Beo0b1tL 4kg1w65dg/Je88RZPAQmGGorfUBXcKlCitBIR7vVzd5JirTdIx0uyvxEBS08jv5z l/oyF1QYWFseLCvOge9O6iB0fpwXX0pb9P4QNTdku45lJtirjSNV7XdDoFXQ8wud zBAY1jp9g51dUzvEt8XwXNu70YbMEB5MGyJBZUCyRNKPfz8Te4NqaQv+/PgQDPF3 amX21dnVGuBCP9WRdzbEXSgYBM6ZkR1ridsjJlYdFRLI2xPNzmInd5ctJUvSyfNf KeMIVm4uL3sLlFIB9qHqdARASbjFRU5Pw7LSUBKpU8+TVghxzVwvX+nVSAyo5DjC vWnzvRPpsMo0IlqFE2+PgHbq1mQMievEENzl7Or5wIlit5BNjfvSo0AkjHN2AtIc KjKLrAPrUCAGjmKC/afEoEGljOc9dj6kWjpyK2O1fSHhTy4dl2sREe4IBGxw6TYd z1Bnyv7UYbRCOMSMlkSeVB1ORiGW4lISFDMmIIzAZBCJt1aYmzowQUWzHTM4HGuB TTFR7Maoac4u0dJoxvgv54akaTHIU0+B2dKf2sgeTVKUGkJaF6Wm8kCXh2q3oiTo ziIyoe03 =Ljz1 -----END PGP SIGNATURE-----