Hi Good suggestion. I have added the package to dla-needed.txt and referred to this email chain.
Cheers // Ola On Mon, 31 Oct 2022 at 13:53, Markus Koschany <a...@debian.org> wrote: > Hi Ola, > > Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist: > > > > Any other thoughts? > > I agree this is a possible breaking change. I suggest we fix unstable > first and > investigate the further implications. I will do that soon. I have updated > the > security tracker with information about the possible fixing commit for this > issue. The code looks straightforward. They basically use a whitelist now. > The > question is if hsqldb's reverse-dependencies in Debian even need this > feature. > We could always fix such a regression by appending a Java argument like > -Dhsqldb.method_class_names="foo;bar" or setting a system property. > Apparently > users also need EXECUTE privileges to abuse this flaw. > > In short I would not ignore CVE-2022-41853 yet but add it to > dla-needed.txt for > further investigation instead. > > Regards, > > Markus > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
