https://bugzilla.suse.com/show_bug.cgi?id=1204521
https://bugzilla.suse.com/show_bug.cgi?id=1204521#c7
David Anes changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(david.anes@suse.c |
|om) |
--- Comment #7 from David Anes ---
We were *VERY* lucky the feature didn't change in the last 9 years, so I was
able to patch it successfully.
Codestream Vers. Request
----------------------------------------------------------------------
SUSE:SLE-12:Update 2.2.9 https://build.suse.de/request/show/283057
SUSE:SLE-15:Update 2.3.3 https://build.suse.de/request/show/283056
openSUSE:Factory 2.6.1->2.7.1 https://build.opensuse.org/request/show/1030922
Please, while documenting the CVE, note in the documentation the following
statement (which now applies to all patched versions):
"If the system property "hsqldb.method_class_names" is not set, then
static methods of available Java classes cannot be accessed as functions
in HSQLDB. If the property is set, then only the list of semicolon
separated method names becomes accessible. An empty property value means
no class is accessible."
Previously, if "hsqldb.method_class_names" was not set, **THEN ALL METHODS
WERE** available which is now the opposite.
--
You are receiving this mail because:
You are on the CC list for the bug.