David Anes changed bug 1204521
What Removed Added
Flags needinfo?(david.anes@suse.com)  

Comment # 7 on bug 1204521 from 
We were *VERY* lucky the feature didn't change in the last 9 years, so I was
able to patch it successfully.

Codestream         Vers.        Request
----------------------------------------------------------------------
SUSE:SLE-12:Update 2.2.9        https://build.suse.de/request/show/283057
SUSE:SLE-15:Update 2.3.3        https://build.suse.de/request/show/283056
openSUSE:Factory   2.6.1->2.7.1 https://build.opensuse.org/request/show/1030922

Please, while documenting the CVE, note in the documentation the following
statement (which now applies to all patched versions):

> "If the system property "hsqldb.method_class_names" is not set, then
> static methods of available Java classes cannot be accessed as functions
> in HSQLDB. If the property is set, then only the list of semicolon
> separated method names becomes accessible. An empty property value means
> no class is accessible."

Previously, if "hsqldb.method_class_names" was not set, **THEN ALL METHODS
WERE** available which is now the opposite.

You are receiving this mail because: