-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5076-1 security@debian.org https://www.debian.org/security/ Markus Koschany February 15, 2022 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : h2database CVE ID : CVE-2021-42392 CVE-2022-23221 Debian Bug : 1003894 Security researchers of JFrog Security and Ismail Aydemir discovered two remote code execution vulnerabilities in the H2 Java SQL database engine which can be exploited through various attack vectors, most notably through the H2 Console and by loading custom classes from remote servers through JNDI. The H2 console is a developer tool and not required by any reverse-dependency in Debian. It has been disabled in (old)stable releases. Database developers are advised to use at least version 2.1.210-1, currently available in Debian unstable. For the oldstable distribution (buster), these problems have been fixed in version 1.4.197-4+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 1.4.197-4+deb11u1. We recommend that you upgrade your h2database packages. For the detailed security status of h2database please refer to its security tracker page at: https://security-tracker.debian.org/tracker/h2database Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmILsjtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS8DQ/5Aafzg5BPQijau6GGp8JlmPfWOCHInxMDCmNS7/lGw2mBeXtjeTBlw6rw gVUWEjvwnOi9mNf19o8s9rNCQC9y9gsmXMHKTG8HpUxN69yUNPyU5V/UCIXnJzwv BqzCcGFZoyKrO1choyu9D1pFupZm5sAtQciS6qGzJBjnheBqNIsfS+Bj8a00P1wB GPMnprp3g6kttOkZk0A9lhNa0ZxEdXqKz2DVK5IDEhGR57FOARyLhW7g5Svb3gUQ TnNqy2XccnKeOn65aC4TsHTgte/0KS/cJKz4BJzW+OgPpTUf9xREwSod2SgoMiCD 4O52cy9KKRBhg4+tYiM/g3O8uvNGNfQ4M6h+m7LZP+bVvDAj5PomVmOUrIs78i2x 8bGknS+Gy0YZsEWSEhVHflILY4lT6ODVBPGQhtxwMHAa+uDTMDudsuVL8EoZsjyx 40zsETr+te4eu37AFWH8237o6Cpu8ndCsyd9lHvuF3xNSu0KE1MAl635Ym+9ynNd I3rLkYmy7HJEbTljME3fI/AN2oVZFFU84Z2VGdK6X6kvNVY0PBMHcf+cLwT8JzVj IbXwo434eDek6vfbYDejb0fjNZfMatCGTvBzOlC3Sk1lI4yvOVUQiqyh+C/kWlTe jps9AC7gvK9DSfIfJ/L8uRoqTAyibmzkOR412opffd18u1aDFs8= =fdku -----END PGP SIGNATURE-----