[From nobody Mon May 4 18:05:05 2026 Received: (at submit) by bugs.debian.org; 25 Apr 2019 07:17:46 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2-bugs.debian.org_2005_01_02 (2018-09-13) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=4.0 tests=BAYES_00,DIGITS_LETTERS, FROMDEVELOPER,MD5_SHA1_SUM,TXREP,XMAILER_REPORTBUG,X_DEBBUGS_CC autolearn=ham autolearn_force=no version=3.4.2-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 20; hammy, 126; neutral, 35; spammy, 1. spammytokens:0.951-+--H*r:bugs.debian.org hammytokens:0.000-+--H*F:U*carnil, 0.000-+--H*RU:sk:lorien., 0.000-+--H*r:sk:lorien., 0.000-+--Hx-spam-relays-external:sk:lorien., 0.000-+--H*M:valinor Return-path: <carnil@debian.org> Received: from lorien.valinor.li ([2a01:4f8:192:61d5::2]) by buxtehude.debian.org with esmtp (Exim 4.89) (envelope-from <carnil@debian.org>) id 1hJYdd-0006sp-UM for submit@bugs.debian.org; Thu, 25 Apr 2019 07:17:46 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: c3p0: CVE-2019-5427 Message-ID: <155617666509.27622.3139939875206049019.reportbug@lorien.valinor.li> X-Mailer: reportbug 7.5.2 Date: Thu, 25 Apr 2019 09:17:45 +0200 X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>, team@security.debian.org Delivered-To: submit@bugs.debian.org Source: c3p0 Version: 0.9.1.2-10 Severity: important Tags: security upstream Control: found -1 0.9.1.2-9+deb9u1 Control: found -1 0.9.1.2-9 Hi, The following vulnerability was published for c3p0. CVE-2019-5427[0]: | c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack | when loading XML configuration due to missing protections against | recursive entity expansion when loading configuration. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5427 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427 [1] https://hackerone.com/reports/509315 [2] https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b Regards, Salvatore ]