www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthieu Riou" <matth...@offthelip.org>
Subject Re: HSQLDB security risks
Date Sat, 19 Jan 2008 21:19:26 GMT
On Jan 19, 2008 12:52 PM, Steve Loughran <steve.loughran@gmail.com> wrote:

> Here's an interesting thought. HSQLDB has just had a security risk
> raised against it:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575
>
>
> The repository stops at version 1.8.0.7 :
> http://repo1.maven.org/maven2/hsqldb/hsqldb/
> this is still vulnerable
>
> Also, a truck load of other artifacts still depend on it:
> http://www.mvnrepository.com/artifact/hsqldb/hsqldb/1.8.0.7
>
> Clearly we need to get the 1.8.0.9 release up there ASAP; if nobody
> wants to update the existing 1.8.0.7 POM for this I can do it @work
> next week (we use it for testing only, not redistribution).
>
> More subtly: should the existing artifacts be left alone? We could
> delete them, which would force everyone to move up to a secure
> version, but break builds. Or we could put some redirect in, perhaps?
> I know this goes against the philosopy of once-published-never-touch,
> and doesnt solve the real problem, which is everyone who redists
> hqsldb drivers needs to know the risk and re-release their app if
> vulnerable.
>
> Perhaps we need some notion of 'danger artifacts' -and refuse to
> accept any more products who declare a dependency on hsqldb < 1.8.0.9?
> That way, we can stop any more references to unsafe artifacts creeping
> in?
>

Having a 1.8.0.9 in the repo is definitely nice to have but I can think of
quite of few scenarios where this security hole doesn't apply, like when
HSQL is just used in-VM for testing. Breaking everybody's build because
there's a security hole they'll never see in their test database is maybe
not a good idea...

Matthieu


>
> -steve
>

Mime
View raw message