Security researchers of JFrog Security and Ismail Aydemir discovered two remote
code execution vulnerabilities in the H2 Java SQL database engine which can be
exploited through various attack vectors, most notably through the H2 Console
and by loading custom classes from remote servers through JNDI. The H2 console
is a developer tool and not required by any reverse-dependency in Debian. It
has been disabled in (old)stable releases. Database developers are advised to
use at least version 2.1.210-1, currently available in Debian unstable.
More Stories
USN-5974-1: GraphicsMagick vulnerabilities
It was discovered that GraphicsMagick was not properly performing bounds checks when processing TGA image files, which could lead to...
USN-5973-1: url-parse vulnerabilities
It was discovered that url-parse incorrectly handled certain inputs. If a user or an automated system were tricked into opening...
USN-5964-2: curl vulnerabilities
USN-5964-1 fixed several vulnerabilities in curl. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM....
LSN-0093-1: Kernel Live Patch Security Notice
Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations....
USN-5972-1: Thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a...
CVE-2018-25083
The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch...