[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Propose to ignore CVE-2022-41853 for hsqldb

Hi Ola,

Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist:
> Any other thoughts?

I agree this is a possible breaking change. I suggest we fix unstable first and
investigate the further implications. I will do that soon. I have updated the
security tracker with information about the possible fixing commit for this
issue. The code looks straightforward. They basically use a whitelist now. The
question is if hsqldb's reverse-dependencies in Debian even need this feature.
We could always fix such a regression by appending a Java argument like 
-Dhsqldb.method_class_names="foo;bar" or setting a system property. Apparently
users also need EXECUTE privileges to abuse this flaw.

In short I would not ignore CVE-2022-41853 yet but add it to dla-needed.txt for
further investigation instead.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: