Updated c3p0 packages fix security vulnerabilities
Publication date: 28 Jan 2020Modification date: 28 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2018-20433 , CVE-2019-5427
Description
An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433). c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration (CVE-2019-5427).
References
SRPMS
7/core
- c3p0-0.9.5.4-1.mga7