https://bugzilla.suse.com/show_bug.cgi?id=1204521 https://bugzilla.suse.com/show_bug.cgi?id=1204521#c7 David Anes changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(david.anes@suse.c | |om) | --- Comment #7 from David Anes --- We were *VERY* lucky the feature didn't change in the last 9 years, so I was able to patch it successfully. Codestream Vers. Request ---------------------------------------------------------------------- SUSE:SLE-12:Update 2.2.9 https://build.suse.de/request/show/283057 SUSE:SLE-15:Update 2.3.3 https://build.suse.de/request/show/283056 openSUSE:Factory 2.6.1->2.7.1 https://build.opensuse.org/request/show/1030922 Please, while documenting the CVE, note in the documentation the following statement (which now applies to all patched versions):

"If the system property "hsqldb.method_class_names" is not set, then static methods of available Java classes cannot be accessed as functions in HSQLDB. If the property is set, then only the list of semicolon separated method names becomes accessible. An empty property value means no class is accessible."

Previously, if "hsqldb.method_class_names" was not set, **THEN ALL METHODS WERE** available which is now the opposite. -- You are receiving this mail because: You are on the CC list for the bug.