[Security] Bump h2 from 2.1.214 to 2.2.220 (!59) · Merge requests · tools / Clonebook

Dependabot requested to merge dependabot-maven-com.h2database-h2-2.2.220 into master Jul 05, 2023

Bumps h2 from 2.1.214 to 2.2.220. This update includes a security fix.

Vulnerabilities fixed

Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Patched versions: none Affected versions: <= 2.1.214

Release notes

Sourced from h2's releases.

Version 2.2.220

Changes since 2.1.214 release:

... (truncated)

Commits

66185fb changelog adjustment
f3c8222 version and release date
087522b javadoc
1ae052a spell-check
4ac5343 Merge pull request #3834 from katzyn/version
72f6e98 Update TestMVStore
81bac50 Update changelog
f047d77 Add 2.0.* and 2.1.* versions to Upgrade utility
1341fea Increase database format version
581ed18 Merge pull request #3833 from katzyn/password
Additional commits viewable in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump h2 from 2.1.214 to 2.2.220

Version 2.2.220

Merge request reports