2.12 just came out, so the earliest would be 2.13. I’m sure a pull request would be welcomed if you want to take a look yourself.
> On 17 Jan 2022, at 01:29, Lo, Marcus <marcus...@citi.com> wrote: > > Thanks. Is there any timeline when this ticket would be picked up and fixed? > Thanks. > > Regards, > Marcus > > From: [gridgain.com <http://gridgain.com/>] Stephen Darlington > <stephen.darling...@gridgain.com <mailto:stephen.darling...@gridgain.com>> > Sent: Friday, January 14, 2022 5:41 PM > To: user > Subject: Re: h2 vulnerabilities > > This Message is From an External Sender > This message came from outside of your organization. > > > There are already tickets about this, IGNITE-14845 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> > for example. Note that at least two of the CVEs you list are not exposed in > Ignite (IGNITE-10801 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>). > > > On 14 Jan 2022, at 09:22, Lo, Marcus <marcus...@citi.com > <mailto:marcus...@citi.com>> wrote: > > Hi, > > The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject > to the following vulnerabilities. Is there any plan to update to a newer > version? Given the currently heightened security awareness, it would be very > difficult to make the case to use the current version of Ignite due to > corporate security policy. Thanks. > > CVE-2021-23463 (BDSA-2021-3744) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 > <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$> > > CVE-2018-10054 (BDSA-2018-1048) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 > <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$> > > BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via > Unsafe JNDI Class Loading Functionality) > https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 > > <https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$> > https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ > > <https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$> > > CVE-2018-14335 (BDSA-2018-2507) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 > <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$> > > Regards, > Marcus