H2 EOL Versions?

[Symphoni Bush]

I am trying to find out if there are any end-of-life versions for H2, and if so, when do these versions typically become EOL/unsupported in terms of security? If this information is publicly stored anywhere please let me know. Thanks.  

[Evgenij Ryazanov]

Hello. There are no “supported” versions of H2, you can use any version you wish, but you should understand that nobody cares about any previous releases, there will be no patch releases for them. Releases are simply numbered sequentially. Sometimes for some applications the latest available version can be not really suitable due to some regression.

H2 is not a secure container and should not be considered as it. You should never give ADMIN privileges to untrusted users or applications, users with them have the same access to your system as your JVM has (if you don't have a security manager with some restrictions). You should not allow untrusted remote connections to you server, remote connections are completely disabled by default, but some people enable them (sometimes even when they don't need them). If you use 1.4.197 and older versions you should block all unwanted remote connections by yourself if remote access is enabled, password protection of your databases is not enough. H2 1.4.198 and later versions are more restrictive, but some people enable old unsafe behavior  of a server with a special flag because they depend on this behavior in their applications, so your system may be also vulnerable, but only due to its explicit unsafe configuration. It's not an issue of H2. Normally your database servers should not be available outside of trusted area of your network.

You can find some fake security issues of H2 over the internet. They are actually either features (administrators may legally do these things by design) or they are related with unsafe configuration of H2 in third-party projects.

There were some real issues (usually not really critical in sane configurations), but they weren't published.