Bug#927936: marked as done (c3p0: CVE-2019-5427)

Fri, 04 Apr 2025 05:59:43 -0700 

Your message dated Fri, 04 Apr 2025 12:49:43 +0000
with message-id <e1u0gur-002ul5...@fasolo.debian.org>
and subject line Bug#927936: fixed in c3p0 0.9.1.2-10.1
has caused the Debian Bug report #927936,
regarding c3p0: CVE-2019-5427
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
927936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927936
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: c3p0
Version: 0.9.1.2-10
Severity: important
Tags: security upstream
Control: found -1 0.9.1.2-9+deb9u1
Control: found -1 0.9.1.2-9 

Hi,

The following vulnerability was published for c3p0.

CVE-2019-5427[0]:
| c3p0 version &lt; 0.9.5.4 may be exploited by a billion laughs attack
| when loading XML configuration due to missing protections against
| recursive entity expansion when loading configuration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5427
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
[1] https://hackerone.com/reports/509315
[2] 
https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: c3p0
Source-Version: 0.9.1.2-10.1
Done: Bastian Germann <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
c3p0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <b...@debian.org> (supplier of updated c3p0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Apr 2025 13:01:52 +0200
Source: c3p0
Architecture: source
Version: 0.9.1.2-10.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Bastian Germann <b...@debian.org>
Closes: 927936
Changes:
 c3p0 (0.9.1.2-10.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Backport fix for CVE-2019-5427. (Closes: #927936)
Checksums-Sha1:
 fc7b19a3aba759c794ad9756d5b354c050c8f6f7 1972 c3p0_0.9.1.2-10.1.dsc
 2f0dc227268647606a5c6fd01dbdc2f7da189b0e 11852 c3p0_0.9.1.2-10.1.debian.tar.xz
 9a6830738dcbc4641055723a1a3daf2b6b2338dd 10232 
c3p0_0.9.1.2-10.1_source.buildinfo
Checksums-Sha256:
 98c2a4c593b7948b2ca9388ec710663e7ba12efd1f682d0fff67bc24025d8756 1972 
c3p0_0.9.1.2-10.1.dsc
 ac139f81dc36d98925879fc37c13d950e7f8768458b1474182e3b4d780cf75e3 11852 
c3p0_0.9.1.2-10.1.debian.tar.xz
 0673ae3d620c4f75831e7a216eb0c9c37e2bedbe6e636dab000ae397470c3d7f 10232 
c3p0_0.9.1.2-10.1_source.buildinfo
Files:
 018eb14fe9a15c5fce7533eb51d99490 1972 java optional c3p0_0.9.1.2-10.1.dsc
 cb877ca6a64bd1273b4097109bd430eb 11852 java optional 
c3p0_0.9.1.2-10.1.debian.tar.xz
 1f533aed2f8b077b5aa5fbe50aaf2340 10232 java optional 
c3p0_0.9.1.2-10.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmfvz9YQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFG0fDADBhjvSgsMGmfa5Y7e9pJxq9YXeonFNannN
kRNFKgL1sDrZSwP+N0EtSfpJEE8olYd/SfTK1OPLPD+2bqEp0d8dcfMZNAu+4Yl3
rTpKK+rNt7vkkrBYKDDrIW1fI8kP3yw+GGY1lDIKiMal5/jEs5uCuzmmgM8WbJb9
01xuwapB8Nud/jUUIW2QDknxIVNDsdSAy9eNSB8EMcU0Rnc4mwQTn+GeArqcgsrt
y5NO5U/RXuhz6B2HePRDhmHhuX5uLIxWsULaKYqiOY2jtFeIYs0HrA6+h0cbic3V
OOwqhi9Fy9Uk6EPnbYR3HF2dDgtDDOzO0hb2irYaLzPS8Y96xf8Mn6U7uBn/pQN1
KkCbhtbG4XzrIo11WAu3FKIZt7/alyoHxJZ9HmU57GRrs3KvsCX8+d+M6EZ0R2CG
L1Sw8h2dMoNzSH3mtIc+rgyHt7JgtBTXqPmGMk9Uor3jrtmLQNFtPsVdMN+NyViH
E5WlfI+tdGU4FtFbYmvHBpS1QqHTHj0=
=jHd3
-----END PGP SIGNATURE-----

Attachment: pgpwlLc_Kl2vu.pgp
Description: PGP signature


--- End Message ---

Reply via email to