[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Propose to ignore CVE-2022-41853 for hsqldb


Good suggestion. I have added the package to dla-needed.txt and referred to this email chain.


// Ola

On Mon, 31 Oct 2022 at 13:53, Markus Koschany <apo@debian.org> wrote:
Hi Ola,

Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist:
> Any other thoughts?

I agree this is a possible breaking change. I suggest we fix unstable first and
investigate the further implications. I will do that soon. I have updated the
security tracker with information about the possible fixing commit for this
issue. The code looks straightforward. They basically use a whitelist now. The
question is if hsqldb's reverse-dependencies in Debian even need this feature.
We could always fix such a regression by appending a Java argument like 
-Dhsqldb.method_class_names="foo;bar" or setting a system property. Apparently
users also need EXECUTE privileges to abuse this flaw.

In short I would not ignore CVE-2022-41853 yet but add it to dla-needed.txt for
further investigation instead.



 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: