Advisories » MGASA-2020-0051

Updated c3p0 packages fix security vulnerabilities

Publication date: 28 Jan 2020
Modification date: 28 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2018-20433 , CVE-2019-5427

Description

An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when
loading XML configuration due to missing protections against recursive
entity expansion when loading configuration (CVE-2019-5427).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25906
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427

SRPMS

7/core

• c3p0-0.9.5.4-1.mga7