Debian Security Advisory

DSA-5436-1 hsqldb1.8.0 -- security update

Date Reported:
21 Jun 2023
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2023-1183.
More information:

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a SCRIPT keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

For the oldstable distribution (bullseye), this problem has been fixed in version

For the stable distribution (bookworm), this problem has been fixed in version

We recommend that you upgrade your hsqldb1.8.0 packages.

For the detailed security status of hsqldb1.8.0 please refer to its security tracker page at: