Your message dated Sun, 04 Dec 2022 21:07:58 +0000
with message-id <[email protected]>
and subject line Bug#1023573: fixed in hsqldb 2.7.1-1
has caused the Debian Bug report #1023573,
regarding hsqldb: CVE-2022-41853
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1023573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023573
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hsqldb
Version: 2.7.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for hsqldb.
CVE-2022-41853[0]:
| Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb
| (HyperSQL DataBase) to process untrusted input may be vulnerable to a
| remote code execution attack. By default it is allowed to call any
| static method of any Java class in the classpath resulting in code
| execution. The issue can be prevented by updating to 2.7.1 or by
| setting the system property "hsqldb.method_class_names" to classes
| which are allowed to be called. For example,
| System.setProperty("hsqldb.method_class_names", "abc") or Java
| argument -Dhsqldb.method_class_names="abc" can be used. From version
| 2.7.1 all classes by default are not accessible except those in
| java.lang.Math and need to be manually enabled.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41853
https://www.cve.org/CVERecord?id=CVE-2022-41853
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7
[2]
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
[3] https://sourceforge.net/p/hsqldb/svn/6614/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: hsqldb
Source-Version: 2.7.1-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
hsqldb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated hsqldb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Dec 2022 21:32:57 +0100
Source: hsqldb
Architecture: source
Version: 2.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1023573
Changes:
hsqldb (2.7.1-1) unstable; urgency=medium
.
* New upstream version 2.7.1.
- Fix CVE-2022-41853:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb
(HyperSQL DataBase) to process untrusted input may be vulnerable to a
remote code execution attack. By default it is allowed to call any static
method of any Java class in the classpath resulting in code execution.
The issue can be prevented by updating to 2.7.1 or by setting the system
property "hsqldb.method_class_names" to classes which are allowed to be
called. For example, System.setProperty("hsqldb.method_class_names",
"abc") or Java argument -Dhsqldb.method_class_names="abc" can be used.
From version 2.7.1 all classes by default are not accessible except those
in java.lang.Math and need to be manually enabled.
(Closes: #1023573)
Checksums-Sha1:
6cb9a2688562741a81eb3da5f4aba832615769a3 2239 hsqldb_2.7.1-1.dsc
5b5cb87b48614f82576faec871e81f2cb308955f 3563928 hsqldb_2.7.1.orig.tar.xz
af0012ae4c3796efdbc75aa9e117e5f17d0996f8 11768 hsqldb_2.7.1-1.debian.tar.xz
5cfbb84418b8f43d5fcad11b2165038d5c819bbf 12702 hsqldb_2.7.1-1_amd64.buildinfo
Checksums-Sha256:
6ea736372faf5af6715ff357193e6156766717e2037b2401d9d05a82cf2a71be 2239
hsqldb_2.7.1-1.dsc
3605a8b3223d98fc0b50aa405ae1b4074be55fc9aaefeb56a441ffb11767e071 3563928
hsqldb_2.7.1.orig.tar.xz
7858f29ce0a472eb03f5e62c8ec4d9e8e0b37373d19c21b2a525233666cd9b0f 11768
hsqldb_2.7.1-1.debian.tar.xz
a3d070c788efd5d5f92361193f0b246fc12e7c1583148088ef2467a1b001a9db 12702
hsqldb_2.7.1-1_amd64.buildinfo
Files:
eb6d2da20a1d3f39add460125f87e374 2239 libs optional hsqldb_2.7.1-1.dsc
695a1f0dbbbcf7e0d700be8cc5b5a4b6 3563928 libs optional hsqldb_2.7.1.orig.tar.xz
4d97fae8b0d5de593d5b68b4370470f5 11768 libs optional
hsqldb_2.7.1-1.debian.tar.xz
20e9a0db6ee559dd9d4359a3f11ff2c6 12702 libs optional
hsqldb_2.7.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmONBg5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk6rMP/09n0d+g92W7vfNhXmPwkUczQ/iYeGPKU9QK
XrZm4Oj38JUtt+3uMA2M9eeuV7njRznjN2Bu1K2XKSIV6dRy2ZqfoyE4f7c54TN6
Jayn/UAf5CogPHO9mcM37m5gLKqkyW5V2bu61N70DTAlRDC/XGGe/HTotl2Ttzq9
qxSTh6UHxJS/2PVfQw8LVfCiLAedCyq4Ep/pr9oSJtCBV886V51qsDbTpVljpHWX
ODmlKeQ5R3I3dX6no2yi/yg9j3ZlypBJYcz/JgDx5VFzTieHts7odpbGNiOVxMIF
vuz8UDnahwLmWTKWfcU58UPP++8/xnS6Ih6fvBqRn7EGgeLDzhM3hIrJhmF5LkZO
VD6s9RZmnSkJH4OTv4DnyY5UmfFLJ8HIRAyS43mo6mjYY3U6FZh1rSb6GWlY/2m5
53u/bvWN8hj9cQc/xf5ifv2V24S1O701QO/Xu4rVZTXKnXg/zIXSjoDS2xYtiXdU
/X3pjIfFL4YTItIZQVOfhXM9wW56zjsdplehGJFtKENZH8DnTJCpni5lOAIZTn6G
8hjSD3p6Ue0ywjECg2hWc/ax10UFLxBOvLUpYiv5JFklYkb7B96pnkVvFdJoGHeI
xrqtgXCknE6+RrWiTzY680RxFaCd/IVG1csu5hoNNf1xXQdhIMgrfz167SAwGvDa
s0VPEn5A
=MDn8
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
