Re: [h2] CVE-2018-10054

2018-08-09 Thread Evgenij Ryazanov
This is not really a “hole” in H2, it is an unsafe non-default configuration that is used in some third-party products. You have to enable remote access to H2 explicitly, but if you're doing it you should also set additional restrictions that suit your environment and needs. -ifExists can be us

Re: [h2] CVE-2018-10054

2018-08-09 Thread Kerry Sainsbury
Fair enough! That sounds to me like the hole that needs to be blocked. On 10 August 2018 at 07:29, Delta wrote: > You need admin, but you can gain such privileges by just creating new db > and for this you dont need to be admin. > > чт, 9 авг. 2018 г. в 22:21, Kerry Sainsbury : > >> I would say

Re: [h2] CVE-2018-10054

2018-08-09 Thread Delta
You need admin, but you can gain such privileges by just creating new db and for this you dont need to be admin. чт, 9 авг. 2018 г. в 22:21, Kerry Sainsbury : > I would say that it can be dealt with by the user already. > > 1. Apparently "Admin rights are required to execute this command" -- > t

Re: [h2] CVE-2018-10054

2018-08-09 Thread Kerry Sainsbury
I would say that it can be dealt with by the user already. 1. Apparently "Admin rights are required to execute this command" -- therefore only give admin rights to users who should have them. 2. Also, you can constrain the classes that can be loaded via h2.allowedClasses

[h2] Re: deadlock in MVStore

2018-08-09 Thread Dan
Is there an artifact server somewhere with SNAPSHOT releases I can point at? Or I would just have to build it locally? Thanks, Dan On Wednesday, August 8, 2018 at 9:33:29 AM UTC-5, Andrei Tokar wrote: > > Hi Dan, > > MVStore code has undergone significant changes since last release > (especial

[h2] Re: best way to get an MV store to compact?

2018-08-09 Thread Dan
Thanks for this tip, by the way - I wouldn't have guessed it, but this off-line compaction works _far_ better than anything I tried online. Dan On Thursday, August 2, 2018 at 8:24:12 PM UTC-5, Andrei Tokar wrote: > > Hi Dan, > > I think that > > MVStoreTool.compact(MVStore source, MVStore target

Re: [h2] CVE-2018-10054

2018-08-09 Thread Thomas Mueller Graf
Hi, See the CVE: Datomic was fixed. Regards, Thomas On Thu, Aug 9, 2018 at 11:36 AM Thomas Mueller Graf < thomas.tom.muel...@gmail.com> wrote: > Hi, > > > H2 1.4.197, as used in Datomic before 0.9.5697 and other products > > I think the point here is "as used in Datomic ... and other products"

Re: [h2] CVE-2018-10054

2018-08-09 Thread Thomas Mueller Graf
Hi, > H2 1.4.197, as used in Datomic before 0.9.5697 and other products I think the point here is "as used in Datomic ... and other products". You could say that "bash" is vulnerable "as used in ". The problem to me seems not in H2, but in , that uses H2 in a way that is not secure. On Thu, Aug

[h2] Re: Vulnerability found

2018-08-09 Thread Christian Jonigkeit
Is there a schedule for dealing with https://www.cvedetails.com/cve/CVE-2018-10054/? On Monday, July 16, 2018 at 5:01:29 PM UTC+2, Delta wrote: > > Developer, please write me on my mail owod...@protonmail.ch > -- You received this message because you are subscribed to the Google Groups "H2 Da

[h2] CVE-2018-10054

2018-08-09 Thread Christian Jonigkeit
Is there a schedule for dealing with https://www.cvedetails.com/cve/CVE-2018-10054/ ? -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to h2-database+unsubscr...@goo