Accepted hsqldb 2.4.1-2+deb10u1 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted hsqldb 2.4.1-2+deb10u1 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 10 Dec 2022 14:30:23 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: hsqldb_2.4.1-2+deb10u1_source.changes
- Debian-source: hsqldb
- Debian-suite: oldstable
- Debian-version: 2.4.1-2+deb10u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=1+KFBOY6ApJvUq2iogojHb0vM4kHJPX3FLsmJlQpe8Y=; b=f81jJflYGgxLvsGv/dvuAUYjrt e0yv0dX6VvGpGrQzIsZcIPVU9B/jITBgU8zOZVlB9hm19HZKGNSANNLHi+ZBUm0BmTjOtl+1Hlj/t ZbnC5u/18gBpICyoHXC8xrz4x3A42fpD8Z/ynrhgTQYhd9BztW0PqHz3qZ/Kd0DqDS3se127bymM+ Su/ZYd75g3gq1FSAtUMUdgTFO1fyM0ixLegvc5slNSmS3oVhddildq1sSpbHkJEaV05nIKaZxdL/5 uUUmTqfjXEIjTiuLOZgEHXFxtLXLlVpPkkKrZHAYrEmy8p+54y9qr/vufSVIF2Z2BOBcA41EosJFG PrbmFctA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1p40rv-006MOk-QI@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Dec 2022 15:13:19 CET
Source: hsqldb
Architecture: source
Version: 2.4.1-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
b18bc9a180f7e92a18285b3b7c756b015546bd99 2264 hsqldb_2.4.1-2+deb10u1.dsc
8b586e05e2935a60fe13e6c4ba9c3feddab50351 3439220 hsqldb_2.4.1.orig.tar.xz
592719d8d409c7bc86b4e464913aa3ace1d37901 11860 hsqldb_2.4.1-2+deb10u1.debian.tar.xz
9049bc59aa3c983154c0c387b7d9ed85348b0d19 11889 hsqldb_2.4.1-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
e7c57918da382e59557e630ae8b9a0aad175d290b47a6f5a87e5345fbc60c559 2264 hsqldb_2.4.1-2+deb10u1.dsc
250ec3165909ad8828745f492745bd0971b08d56e92c18021802e9c510ecd385 3439220 hsqldb_2.4.1.orig.tar.xz
3ca9e81879b0069d41c3be3b936acb186ee9d14d7b73153dc4b911e69661097f 11860 hsqldb_2.4.1-2+deb10u1.debian.tar.xz
8edd878a4fd04807a6f36a35effde8f00fbc9f2b17cb8cbe700111579c1797b7 11889 hsqldb_2.4.1-2+deb10u1_amd64.buildinfo
Changes:
hsqldb (2.4.1-2+deb10u1) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2022-41853:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb
(HyperSQL DataBase) to process untrusted input may be vulnerable to a
remote code execution attack. By default it is allowed to call any static
method of any Java class in the classpath resulting in code execution. The
issue can be prevented by updating to 2.4.1-2+deb10u1 or by setting the
system property "hsqldb.method_class_names" to classes which are allowed to
be called. For example, System.setProperty("hsqldb.method_class_names",
"abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From
version 2.4.1-2+deb10u1 all classes by default are not accessible except
those in java.lang.Math and need to be manually enabled.
Files:
948503d612470ad4fdfe08b1ed1f2541 2264 libs optional hsqldb_2.4.1-2+deb10u1.dsc
43dcaf94f55df5ce138105e94586ea64 3439220 libs optional hsqldb_2.4.1.orig.tar.xz
64de275c8594b82369ad477a77336457 11860 libs optional hsqldb_2.4.1-2+deb10u1.debian.tar.xz
dbbfceb9896cc64338c4f4f76cee065a 11889 libs optional hsqldb_2.4.1-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOUlBJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkSYgQAKpuKdhP0tD7DRymHogY3SJKWGIaSEiHeGNC
LDmP1ioDSa/0Xr+3j7QwkoEEGn0+bN75fjlncWwl7fskb44EAl5CpP80Beo0b1tL
4kg1w65dg/Je88RZPAQmGGorfUBXcKlCitBIR7vVzd5JirTdIx0uyvxEBS08jv5z
l/oyF1QYWFseLCvOge9O6iB0fpwXX0pb9P4QNTdku45lJtirjSNV7XdDoFXQ8wud
zBAY1jp9g51dUzvEt8XwXNu70YbMEB5MGyJBZUCyRNKPfz8Te4NqaQv+/PgQDPF3
amX21dnVGuBCP9WRdzbEXSgYBM6ZkR1ridsjJlYdFRLI2xPNzmInd5ctJUvSyfNf
KeMIVm4uL3sLlFIB9qHqdARASbjFRU5Pw7LSUBKpU8+TVghxzVwvX+nVSAyo5DjC
vWnzvRPpsMo0IlqFE2+PgHbq1mQMievEENzl7Or5wIlit5BNjfvSo0AkjHN2AtIc
KjKLrAPrUCAGjmKC/afEoEGljOc9dj6kWjpyK2O1fSHhTy4dl2sREe4IBGxw6TYd
z1Bnyv7UYbRCOMSMlkSeVB1ORiGW4lISFDMmIIzAZBCJt1aYmzowQUWzHTM4HGuB
TTFR7Maoac4u0dJoxvgv54akaTHIU0+B2dKf2sgeTVKUGkJaF6Wm8kCXh2q3oiTo
ziIyoe03
=Ljz1
-----END PGP SIGNATURE-----