Your message dated Sat, 12 Feb 2022 21:07:02 +0000 with message-id <e1nizbi-0009mk...@fasolo.debian.org> and subject line Bug#1003894: fixed in h2database 2.1.210-1 has caused the Debian Bug report #1003894, regarding h2database: CVE-2021-42392 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003894: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003894 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: h2database Version: 1.4.197-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for h2database. CVE-2021-42392[0]: | The org.h2.util.JdbcUtils.getConnection method of the H2 database | takes as parameters the class name of the driver and URL of the | database. An attacker may pass a JNDI driver name and a URL leading to | a LDAP or RMI servers, causing remote code execution. This can be | exploited through various attack vectors, most notably through the H2 | Console which leads to unauthenticated remote code execution. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-42392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392 [1] https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 [2] https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: h2database Source-Version: 2.1.210-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of h2database, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated h2database package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Feb 2022 21:04:26 +0100 Source: h2database Architecture: source Version: 2.1.210-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1003894 Changes: h2database (2.1.210-1) unstable; urgency=high . * Team upload. * New upstream version 2.1.210 - Fix CVE-2021-42392 and CVE-2022-23221. Possible remote code execution through the H2 Console or via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE option. Thanks to Salvatore Bonaccorso for the report. (Closes: #1003894) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.0. * Rebase use-jar-files-from-debian.patch and reproducible-javadoc.patch. Drop remaining patches. * Build-depend on libjakarta-servlet-api-java, libasm-java, libservlet-api-java and liblucene8-java. Checksums-Sha1: b84cf6a3cfc812fe555cbbc3bf25401be53f3afe 2329 h2database_2.1.210-1.dsc c685f76aacb82d69ca02fc5095f009781630eccc 2421984 h2database_2.1.210.orig.tar.xz 1d2135cd774db2e485899ee34159fc885022da4e 12836 h2database_2.1.210-1.debian.tar.xz bf06b152875aa5cef001b9fda49aab4924dfa03b 11655 h2database_2.1.210-1_amd64.buildinfo Checksums-Sha256: 22050ee94fbbe1bdec96a95dc13b53b5ca3449b87a908820e2e9bcac76bd69a2 2329 h2database_2.1.210-1.dsc 7bb79a2465cd2be3e5ae4199a928e7b11fc8eafe50805b69c9d566f0ccbe75eb 2421984 h2database_2.1.210.orig.tar.xz 9f8fe726f7b7e81609e06d78c63c2698dd6d2a418fd9a38885652922431e5641 12836 h2database_2.1.210-1.debian.tar.xz 5bb70c36647e358e533f1957261636143127bd1822cbb0d93aee21d17f752e16 11655 h2database_2.1.210-1_amd64.buildinfo Files: 474a82dc965f44d0a5749e6e084cf5f2 2329 java optional h2database_2.1.210-1.dsc 32a23bdb7452eec5324e8a0885287883 2421984 java optional h2database_2.1.210.orig.tar.xz 628311c9e61e871bd75e4f4d2ac5e6fa 12836 java optional h2database_2.1.210-1.debian.tar.xz 0b041d425e40d943c5de59129d17484f 11655 java optional h2database_2.1.210-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmIIG6RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkzT0P/3c80VvZmb5JPyuYCEQQ5dbe+o+I/AbNdWDe n1esxVC4EF5VWK0YOqTyBrNW5qKEzvndSKUg6X7NNG8nJ8cCWN8ykR63Zfua1AEn v2Bt+0mP7I9DXG5Ialfp/7fdzJv4phf8bVmqhzWvzEX/1+Wbu6rnqZQMmgtrcQxI MOK6941EwXJa8+ITuxd1lePI77KoOpnoECtIV3cYZrVRfF35ebPdoXbfkkRi/Azw 3Cz9dXJZpwTWK0/fyfzy7jcgNHztUSuxwywa4r+95w7pWMFzb0Uw8U65/i+sfUwX 2MN2SKQSQp4T9NRn4v9Pf/lObG9avu24Ks/TM2GKV+yTLRCJo8EJPQgMiyY9yUzb 0SxrsXsxOsEevUaJNSvCvNqZtArk4byZgnObHP10YPZy+FsAW9gx0G/D3+2c+vFe jIYi+qiNXQmcbY7MHHb7q0zFXdJFodvhmp45r0Tab+3I5VjmDQDuEXZoehXn+8G1 PL9OhtQBuFq7iHgSnqo1rrvO8WZMWb2g2Gn+rW/L4KUjU9zZUACqNAAUDVEmDONd ZH0NYyyUBec6qybTmDXRp6Brk6hjTMeYwRu8p4dqIyYv4srselwcDQ0MSRhZqlSX rXgqLoXUE7flESqU6hhuYddUauDuUQaxRbBuQYUb5fcw6Pm9gUzD0n6YxYGDWWhG HGHHGbyy =RxAp -----END PGP SIGNATURE-----
--- End Message ---
