Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 5313-1] hsqldb security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 5313-1] hsqldb security update


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: Markus Koschany <apo AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 5313-1] hsqldb security update
  • Date: Tue, 10 Jan 2023 23:15:17 +0000
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=none; spf=none (mail.piratenpartei.de: domain of "bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org" has no SPF policy when checking 2001:41b8:202:deb:216:36ff:fe40:4002) smtp.mailfrom="bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org"
  • List-archive: https://lists.debian.org/msgid-search/Y73xhc25DEL2KTjw AT seger.debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.seger; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: In-Reply-To:References; bh=DALAwevl2Ywxw0pQBcVomMNNafSsQEfLDugkw2TQBA8=; b=ij EmER5k51NB1qb1n0DzMQcPcdV14nzKQJAEwY8RUHYMgt6FTZJudldgOpM7SB6jhjTML10sdW0ohm6 YfbkhS6EQursEqbDmpBTHJqPPq87LgwnqqVwRd4UgUl3emTA8srjx5J9ZYeDy9gac72ufjO+BF8QH ZuUuXrdL1zj1fV7eGMvLFHdbzHmbUbhCHWWTONOmZS1tm8aXTzYnhWrZrzFuZtwtUA48XcA3XYLxb l2CwWKlLMw8fmkGhCqzl11QXdxIEf66gWkHUiBzCnoQi9iZBlILUii9cOKjt/6KXWkh+YBnjPYgap t8v4Op9qrvim7qpj83DGCfzQ5ELoR/xQ==;
  • Old-return-path: <apo AT seger.debian.org>
  • Priority: urgent
  • Resent-date: Tue, 10 Jan 2023 23:33:16 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <FqQSfMwaj9K.A.aAD.8WfvjB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5313-1 security AT debian.org
https://www.debian.org/security/ Markus Koschany
January 11, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : hsqldb
CVE ID : CVE-2022-41853
Debian Bug : 1023573

It was found that those using java.sql.Statement or java.sql.PreparedStatement
in hsqldb, a Java SQL database, to process untrusted input may be vulnerable
to
a remote code execution attack. By default it is allowed to call any static
method of any Java class in the classpath resulting in code execution. The
issue can be prevented by updating to 2.5.1-1+deb11u1 or by setting the system
property "hsqldb.method_class_names" to classes which are allowed to be
called.
For example, System.setProperty("hsqldb.method_class_names","abc") or Java
argument -Dhsqldb.method_class_names="abc" can be used. From version
2.5.1-1+deb11u1 all classes by default are not accessible except those in
java.lang.Math and need to be manually enabled.

For the stable distribution (bullseye), this problem has been fixed in
version 2.5.1-1+deb11u1.

We recommend that you upgrade your hsqldb packages.

For the detailed security status of hsqldb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/hsqldb

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO98RdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTvExAAr/PkL7dghDuiVOzcE6Imt2Z1p+qeOIQf/UbvwSZw/fb5zt9QrDmM/fp3
d9GhWOoxzspsmNJ6LieCMeN4pih+q1DXaD6HE9o+X90FjYXaJSnfRZMCjbYor6dt
N7CnzJnBnr/5iJ6XTS9lSmntpPdLlpXpdicivSeEtLkDgYH3LnZ/YKPVWPnDD6gu
sce8t3yttfzgZkGL7h6jhS5aWZwD4bbvUVEeb0uzGlYALP3yv4znbwS1483jUPwB
0bfUu2mYgR6+byHMoud+aqbqZXkKL4nr+FkwYIRyXkXn5riME+jkM8LegU0kF3A5
CkwylkbUdLk4D7glskpuwWbxTjdAmuiqLoHpNbBPyqHd8w4GcOr/ZlcZIXEqownS
Nv3pGDjqA3KLWzTKmfIAidSLbnKhqQkWpvRlv34kb8jgqDHmYR3wORaHW6jOGGys
Bqx4igyLLgYGQukk8pHahoR8VF6hiHihkVjjylqnx6m5hAt4CpQCtCzG9IKqTKjS
ApT8qM8JNvfzgu0Fa3hiY4O3lbr6W5elSnAjeh49tRaRmT/nT6n4sng0MOCPeBsX
XRhr8UuwZhh4SU9XAGJ3O6yVRoouAb/IIM6ALwFlMDRwHU+lB3YJhciXj1yMFJqW
UKleG3lajnEDXYhlF50W26LKXRE7KAUmkt7H3wQxkgHAKRqPrbc=
=3k8R
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 5313-1] hsqldb security update, Markus Koschany, 11.01.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang