-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Jan 2023 22:13:58 CET Source: hsqldb Architecture: source Version: 2.5.1-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: ac3bbbb0bb6da210c50b8a814757489263e7350e 2271 hsqldb_2.5.1-1+deb11u1.dsc 36316b9c3cb42613b7dff50af13a1e8906704feb 3534200 hsqldb_2.5.1.orig.tar.xz cba7dc832c27eb17853b15d0eb981d46fa2300c1 11336 hsqldb_2.5.1-1+deb11u1.debian.tar.xz 7c2d8bba04df6f7c7047dc615474f165109ecb89 11991 hsqldb_2.5.1-1+deb11u1_amd64.buildinfo Checksums-Sha256: ec9c71de4019c8b73df410a7f00e087fc0cba9e8a9c0b22619281b91a5ff20ee 2271 hsqldb_2.5.1-1+deb11u1.dsc c7988fceeda4a2618c78004786253a7d7ae1b3b90fcde65f7c895266203f218f 3534200 hsqldb_2.5.1.orig.tar.xz 5984678e39999e3b6fe99aa33c5801b5049d9cafdb4b51f8ad2e4584a9ef57de 11336 hsqldb_2.5.1-1+deb11u1.debian.tar.xz 98fafcbb6a671bfa1de61666a0353a9c0c2477c8c1e288a36b2e9c0a383674cb 11991 hsqldb_2.5.1-1+deb11u1_amd64.buildinfo Changes: hsqldb (2.5.1-1+deb11u1) bullseye-security; urgency=high . * Team upload. * Fix CVE-2022-41853: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.4.1-2+deb10u1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.4.1-2+deb10u1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. Files: 13384e26df16c625ecd78b0cbf5f22e9 2271 libs optional hsqldb_2.5.1-1+deb11u1.dsc f660f944c6dd36f2bcfe5e07afc84902 3534200 libs optional hsqldb_2.5.1.orig.tar.xz b01681fbc94f8f937233451ce49f8d9e 11336 libs optional hsqldb_2.5.1-1+deb11u1.debian.tar.xz 739c0506657149959ac309754cd2f032 11991 libs optional hsqldb_2.5.1-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO91RtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkXagQAKi1D5HykAJ7h/CBk9o9iV1U07ve7zuPBdFu dSAZ7VAdSGjh5bFkoJt9WiNOdlbWGl6X8tBA/KR6XDpYjrZukiObMjwxFgIvRMBj +qhaTL1S55Tudwy+WTTpX0qF0cZYTIyxlnmKakb4eL1f4s+2Si4Wu/21Lv/pizL5 fS6JjX5NO0No1v+FbPAEhHmHJ3PTnO34jZlAXTTZjsMqT5raA6HDDrUqFar6vllH 3tRmoaZfu624D5hhvFSi1k77g7pJB8J6nnqehKXvFdarkj9MN+WXsu/DwJBm1vZK 7tUF31WtXrv//dgv/7B6o4e9XVRYgYSq4H0GrFrVxKQjOeSU+QIZB3hhswoEp5Gh AFPB0+Yi3FAg6FdATRw0Nwk2NzdMjcpSn14n3O1nPLH1J5dC5JjKJ4AeSFbIvrX8 eM6Mq4GkBmxVDJDZEsCRDTwdZJ5bprtW7R7WN6QhForpuLDpl1hWHKLPGoZ6K2Ur IOA3pb2+9fdd9aqRAOS1NWLBJ10EzDs+fxXufMZBtrlHxuI5zg7ZQFUnaA++gZCd sXfJiSfNvnREdcmn+bQxXtM10ff8zZ4OTdSnDT4nCyGZ6KteVKOH+uPgo+ah2Q/x k2mUcmjJAJw2camH9Fe9lv2gIte/I7sYbl/VrsUETSWh4Vh7c4huXfLFv8azlR+A PC9xyL9R =vB1H -----END PGP SIGNATURE-----