[Git][java-team/c3p0][master] 10 commits: Switch to compat level 10

Tue Dec 25 14:35:08 GMT 2018

Markus Koschany pushed to branch master at Debian Java Maintainers / c3p0


Commits:
088ce05f by Markus Koschany at 2018-12-25T14:07:16Z
Switch to compat level 10

- - - - -
509aeba1 by Markus Koschany at 2018-12-25T14:07:37Z
Use https for Format field.

- - - - -
8cdcf880 by Markus Koschany at 2018-12-25T14:07:52Z
Declare compliance with Debian Policy 4.3.0.

- - - - -
e4eb553d by Markus Koschany at 2018-12-25T14:08:22Z
Use canonical VCS URI.

- - - - -
562eda27 by Markus Koschany at 2018-12-25T14:11:18Z
Rename README.Debian-source to README.source

- - - - -
b152f5ec by Markus Koschany at 2018-12-25T14:15:39Z
Fix CVE-2018-20433.

Thanks: Salvatore Bonaccorso for the report.
Closes: #917257

- - - - -
ee10d59c by Markus Koschany at 2018-12-25T14:18:09Z
Update changelog

- - - - -
de80a715 by Markus Koschany at 2018-12-25T14:21:28Z
Don't forget to apply the security patch.

- - - - -
b9e285c2 by Markus Koschany at 2018-12-25T14:25:19Z
Install the documentation into canonical directory.

- - - - -
5cd08b70 by Markus Koschany at 2018-12-25T14:27:13Z
Rename libc3p0-java-doc.docs to libc3p0-java-doc.install because we

need dh_install to create the directory

- - - - -


11 changed files:

- debian/README.Debian-source → debian/README.source
- debian/changelog
- debian/compat
- debian/control
- debian/copyright
- debian/libc3p0-java-doc.doc-base
- − debian/libc3p0-java-doc.docs
- + debian/libc3p0-java-doc.install
- + debian/patches/CVE-2018-20433.patch
- debian/patches/series
- debian/rules


Changes:

=====================================
debian/README.Debian-source → debian/README.source
=====================================


=====================================
debian/changelog
=====================================
@@ -1,10 +1,21 @@
-c3p0 (0.9.1.2-10) UNRELEASED; urgency=medium
+c3p0 (0.9.1.2-10) unstable; urgency=medium
 
   * Team upload.
-  * Moved the package to Git
-  * Bump Standards-Version to 3.9.6 (no changes)
 
- -- tony mancill <tmancill at debian.org>  Wed, 25 Nov 2015 22:10:31 -0800
+  [ tony mancill ]
+  * Moved the package to Git.
+
+  [ Markus Koschany ]
+  * Switch to compat level 10.
+  * Use https for Format field.
+  * Declare compliance with Debian Policy 4.3.0.
+  * Use canonical VCS URI.
+  * Rename README.Debian-source to README.source
+  * Fix CVE-2018-20433.
+    Thanks to Salvatore Bonaccorso for the report. (Closes: #917257)
+  * Install the documentation into canonical directory.
+
+ -- Markus Koschany <apo at debian.org>  Tue, 25 Dec 2018 15:16:25 +0100
 
 c3p0 (0.9.1.2-9) unstable; urgency=medium
 


=====================================
debian/compat
=====================================
@@ -1 +1 @@
-9
+10


=====================================
debian/control
=====================================
@@ -3,11 +3,11 @@ Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
 Uploaders: Varun Hiremath <varun at debian.org>, Emmanuel Bourg <ebourg at apache.org>
-Build-Depends: debhelper (>= 9), cdbs, maven-repo-helper, default-jdk
+Build-Depends: debhelper (>= 10), cdbs, maven-repo-helper, default-jdk
 Build-Depends-Indep: ant, liblog4j1.2-java, ant-optional, junit, libhsqldb-java
-Standards-Version: 3.9.6
-Vcs-Git: git://anonscm.debian.org/pkg-java/c3p0.git
-Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/c3p0.git
+Standards-Version: 4.3.0
+Vcs-Git: https://salsa.debian.org/java-team/c3p0.git
+Vcs-Browser: https://salsa.debian.org/java-team/c3p0
 Homepage: http://sourceforge.net/projects/c3p0
 
 Package: libc3p0-java


=====================================
debian/copyright
=====================================
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: c3p0
 Upstream-Contact: Steve Waldman <swaldman at users.sourceforge.net>
 Source: https://sourceforge.net/projects/c3p0


=====================================
debian/libc3p0-java-doc.doc-base
=====================================
@@ -6,5 +6,5 @@ Abstract: This is the programmer API of c3p0, a library for JDBC
 Section: Programming
 
 Format: HTML
-Index: /usr/share/doc/libc3p0-java-doc/api/index.html
-Files: /usr/share/doc/libc3p0-java-doc/api/*.html
+Index: /usr/share/doc/libc3p0-java/api/index.html
+Files: /usr/share/doc/libc3p0-java/api/*.html


=====================================
debian/libc3p0-java-doc.docs deleted
=====================================
@@ -1 +0,0 @@
-build/api


=====================================
debian/libc3p0-java-doc.install
=====================================
@@ -0,0 +1 @@
+build/api usr/share/doc/libc3p0-java/


=====================================
debian/patches/CVE-2018-20433.patch
=====================================
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 25 Dec 2018 15:14:04 +0100
+Subject: CVE-2018-20433
+
+Bug-Debian: https://bugs.debian.org/917257
+Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+---
+ src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+index 3878e89..4a75bd8 100644
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
++	fact.setExpandEntityReferences(false);
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
 build.patch
 testing.patch
 java-7-compat.patch
+CVE-2018-20433.patch


=====================================
debian/rules
=====================================
@@ -7,7 +7,7 @@ include /usr/share/cdbs/1/class/ant.mk
 JAVA_HOME := /usr/lib/jvm/default-java
 
 DEB_JARS                   := log4j1.2 junit ant-junit hsql
-DEB_ANT_BUILD_TARGET       := jar javadocs junit-tests 
+DEB_ANT_BUILD_TARGET       := jar javadocs junit-tests
 DEB_INSTALL_CHANGELOGS_ALL := src/dist-static/CHANGELOG
 
 clean::



View it on GitLab: https://salsa.debian.org/java-team/c3p0/compare/eeafd0e2aec3310da4b1bf8726982f13dc11f8fd...5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2

-- 
View it on GitLab: https://salsa.debian.org/java-team/c3p0/compare/eeafd0e2aec3310da4b1bf8726982f13dc11f8fd...5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20181225/c2822e0a/attachment.html>
