Hi Ola,
Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist:
>
> Any other thoughts?
I agree this is a possible breaking change. I suggest we fix unstable first and
investigate the further implications. I will do that soon. I have updated the
security tracker with information about the possible fixing commit for this
issue. The code looks straightforward. They basically use a whitelist now. The
question is if hsqldb's reverse-dependencies in Debian even need this feature.
We could always fix such a regression by appending a Java argument like
-Dhsqldb.method_class_names="foo;bar" or setting a system property. Apparently
users also need EXECUTE privileges to abuse this flaw.
In short I would not ignore CVE-2022-41853 yet but add it to dla-needed.txt for
further investigation instead.
Regards,
Markus