c3p0: CVE-2018-20433: XXE vulnerability at initialization

Debian Bug report logs - #917257
c3p0: CVE-2018-20433: XXE vulnerability at initialization

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: c3p0: CVE-2018-20433: XXE vulnerability at initialization

Date: Mon, 24 Dec 2018 21:45:49 +0100

Source: c3p0
Version: 0.9.1.2-9
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for c3p0.

CVE-2018-20433[0]:
| c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in
| com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20433
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
[1] https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b

Regards,
Salvatore

Message #8 received at 917257-submitter@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 917257-submitter@bugs.debian.org

Subject: Bug #917257 in c3p0 marked as pending

Date: Tue, 25 Dec 2018 14:35:07 +0000

Control: tag -1 pending

Hello,

Bug #917257 in c3p0 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/c3p0/commit/b152f5ec64c39ca9ac4c48f840d89ecc70f2846d

------------------------------------------------------------------------
Fix CVE-2018-20433.

Thanks: Salvatore Bonaccorso for the report.
Closes: #917257
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/917257

Message #15 received at 917257-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 917257-close@bugs.debian.org

Subject: Bug#917257: fixed in c3p0 0.9.1.2-10

Date: Tue, 25 Dec 2018 15:04:36 +0000

Source: c3p0
Source-Version: 0.9.1.2-10

We believe that the bug you reported is fixed in the latest version of
c3p0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 917257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated c3p0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 25 Dec 2018 15:16:25 +0100
Source: c3p0
Binary: libc3p0-java libc3p0-java-doc
Architecture: source
Version: 0.9.1.2-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libc3p0-java - library for JDBC connection pooling
 libc3p0-java-doc - library for JDBC connection pooling (documentation)
Closes: 917257
Changes:
 c3p0 (0.9.1.2-10) unstable; urgency=medium
 .
   * Team upload.
 .
   [ tony mancill ]
   * Moved the package to Git.
 .
   [ Markus Koschany ]
   * Switch to compat level 10.
   * Use https for Format field.
   * Declare compliance with Debian Policy 4.3.0.
   * Use canonical VCS URI.
   * Rename README.Debian-source to README.source
   * Fix CVE-2018-20433.
     Thanks to Salvatore Bonaccorso for the report. (Closes: #917257)
   * Install the documentation into canonical directory.
Checksums-Sha1:
 41e1a878c2b788fca3db458f461d83e6dfe5d49d 2265 c3p0_0.9.1.2-10.dsc
 3c8f95222b6afba7d08a91aeaf9df18eb15db928 10624 c3p0_0.9.1.2-10.debian.tar.xz
 de30fbfdb83775a3e6bf2589e3933edc764cfe5f 10839 c3p0_0.9.1.2-10_amd64.buildinfo
Checksums-Sha256:
 b7139cd28a681664fd9f7de569bf68082f8dbeff427fbfa0812738819b30cf23 2265 c3p0_0.9.1.2-10.dsc
 f27902eb91a29c45c680e3d8c10000114951d0f6596f547eaf52c9864d0bd5bb 10624 c3p0_0.9.1.2-10.debian.tar.xz
 77292c133717fda4ac93cd0baadaf48ce770eceb4c5894c6ced59817d3ffa10c 10839 c3p0_0.9.1.2-10_amd64.buildinfo
Files:
 3d0c5d4edc95f65d13ca7fab3e05b4e4 2265 java optional c3p0_0.9.1.2-10.dsc
 eb6562e6bfb2dbf8d3acd2bb051adb64 10624 java optional c3p0_0.9.1.2-10.debian.tar.xz
 c389d3158d72cc41e85711172712afcc 10839 java optional c3p0_0.9.1.2-10_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwiP+pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkNRIQAJIxFWQ6Do7jEUQagEJ5tq/DB6yT34dXRQ8G
IUQIdIoS+oiUkyEnMhFKeusvvBfW94g9U6pz5iSqp5SUcAKAkGnzIPtNNwCKjFye
HIAVz+l9rvPqG+LnMXpC8OxIGkRD439K4SHFtYsSSrlk8PmQvDUKJrhF21qWHlNE
UtX6PMpoxbQhD79RAnZU9Z1QnCzlscN17OGz+G4v/HEtK0E3EWzwmXZwZbxrX8DF
Jsa73NB3SMSMQHQzvLF4fQLuAM/MW+AHR6pa7e4GD62uP6JgVMPj1vNNzTyLSGLI
OlZ6cBJA3SzNzLO7l73JBeER+cNAkkZpxLkOpdt9QrOC4KNnwlTOjhz/sjYzUmTL
O7eYmUxduoTwaF6VKp2mprdocjkHA1j25XUqYvUn1lesgxsxy42o5aobF3WUzlFy
c18KqCH+cnclaxc141hUOk/oP649oAInEuduyZF2DlMlSBHmtNFIWx2mYKG2BsyE
MpLOZNZy6zY2VcoqtqBva2X9TeGvZ0xQvbUejk+wHVt90vM4sXhKMLyvWwya6qPP
ytfcTSnUh9wK11ilyb/VSeo1gXR8rXIRVp77UJrd2rbDXYSd5cB3RGT1cdV2o7OC
3AKjj5fa48F9G8neDI+a1OYpSxU7LIL9mHT66k5KN/XA9pWwPh7q3Nd1HBJvGZI0
yEqJSNwm
=Ioku
-----END PGP SIGNATURE-----

Message #20 received at 917257-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 917257-close@bugs.debian.org

Subject: Bug#917257: fixed in c3p0 0.9.1.2-9+deb9u1

Date: Thu, 03 Jan 2019 21:47:08 +0000

Source: c3p0
Source-Version: 0.9.1.2-9+deb9u1

We believe that the bug you reported is fixed in the latest version of
c3p0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 917257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated c3p0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 28 Dec 2018 18:41:05 +0100
Source: c3p0
Binary: libc3p0-java libc3p0-java-doc
Architecture: source
Version: 0.9.1.2-9+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libc3p0-java - library for JDBC connection pooling
 libc3p0-java-doc - library for JDBC connection pooling (documentation)
Closes: 917257
Changes:
 c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium
 .
   * Team upload.
   * Fix CVE-2018-20433.
     A XML External Entity (XXE) vulnerability was discovered in c3p0 that may
     be used to resolve information outside of the intended sphere of control.
     (Closes: #917257)
Checksums-Sha1:
 39b906f751a715d8fb713fb172d1cb3b3fa43198 2302 c3p0_0.9.1.2-9+deb9u1.dsc
 86e0fdd72b33ce00850be592fb14dabd3b88aa32 10584 c3p0_0.9.1.2-9+deb9u1.debian.tar.xz
 df2119acfa75dd5f034ac428f634b83dc28b8f85 11217 c3p0_0.9.1.2-9+deb9u1_amd64.buildinfo
Checksums-Sha256:
 874bb5776cfc31fe8a611924ebe6f8852fdd8b55170c75e31657d5d639dd2410 2302 c3p0_0.9.1.2-9+deb9u1.dsc
 f111efc54b8d161605bead4769c386b018f9644970e5db7c83301d830e1445f6 10584 c3p0_0.9.1.2-9+deb9u1.debian.tar.xz
 035e520fd8947e014a509d3c38a04054728d860ad115f87689351b27e4c16ac3 11217 c3p0_0.9.1.2-9+deb9u1_amd64.buildinfo
Files:
 81090f39665055248031245500a9c9ec 2302 java optional c3p0_0.9.1.2-9+deb9u1.dsc
 990d3c4aef1bf3ecbdfa4080a3869268 10584 java optional c3p0_0.9.1.2-9+deb9u1.debian.tar.xz
 7de1adc5c3b5b00379586a63a01a9e93 11217 java optional c3p0_0.9.1.2-9+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwmZxFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk73IP/036gPCn34lHjVcPwm+bqdROORj9uZsG3yHG
9yvxJl/DpcoBGsrPKpVtkMOSYHTTnLKcRUc5klcQ8FcRlCEMqjg9POQXCtHpLJ3l
KjQMb5itnJ18TBRkhas9V4zrKkcKd931ya8jEHPA6Fj2tVMAwIg5bgpy+Pn08Phb
6/DTYN+ioVPxv+Y+/eetIcSS71uWgHU9akWdfUD69kk0TMnQ8p4bA3UPuAw7MO9R
V4qqF/Dk+HXi6c+UFvxLY/ZtfYO9WRcTipR0UxODF1eVG9iQ74HYgxIWmH37Fw36
D67u98JzVEVupB2wyL17pUnb4B4dvGk+scVpq4fFvC87yvvqv7D9dYErK+jdLJgc
pj4N5ph64AogIIgnjjZcoJWepG2uo1qz0VNawbVaOwmVZbfxmU0kZ9cNoh6+y+UQ
ZaLgqszhjz4m0ByPMuxDUDCRPpKxcTvYyOFIvuX6bUmvBxUmDxYAzaAixmSk3TQJ
sG4OxFJJSvhtOCa2CMUfdvc2+nGRoX5tq8+co+NbZ48WPOK/ULNVi+bSJqkSEPuY
T8LghApEJKYqsMKiEnbB3qufaAqRy0T+0EZTtw5VI7wys2rNj5A9jcJ3QDVLmWrQ
z+KNYIuKdka95Ea5bXDO7eeZJuhqQI7L4KFKE5Aw5H0vbOAsaMsv/j92I1+/702r
lGRL2tzI
=/hyF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.