Hi Ola, Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist: > > Any other thoughts? I agree this is a possible breaking change. I suggest we fix unstable first and investigate the further implications. I will do that soon. I have updated the security tracker with information about the possible fixing commit for this issue. The code looks straightforward. They basically use a whitelist now. The question is if hsqldb's reverse-dependencies in Debian even need this feature. We could always fix such a regression by appending a Java argument like -Dhsqldb.method_class_names="foo;bar" or setting a system property. Apparently users also need EXECUTE privileges to abuse this flaw. In short I would not ignore CVE-2022-41853 yet but add it to dla-needed.txt for further investigation instead. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part