Bug 25906

Summary: c3p0 new security issues CVE-2018-20433 and CVE-2019-5427
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: c3p0-0.9.5-0.5.pre8.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-19 22:02:00 CET 
Fedora has issued an advisory on May 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

It was already fixed in Cauldron and the CVE is even in the changelog entry but there was no bug report.  Please make sure we have a bug when you're aware of a CVE.

The issues are fixed upstream in 0.9.5.4.
Comment 1 David GEIGER 2019-12-22 09:02:23 CET 
Done for mga7!
Comment 2 David Walser 2019-12-22 14:21:17 CET 
Advisory:
========================

Updated c3p0 packages fix security vulnerabilities:

An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading
XML configuration due to missing protections against recursive entity expansion
when loading configuration (CVE-2019-5427).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
========================

Updated packages in core/updates_testing:
========================
c3p0-0.9.5.4-1.mga7
c3p0-javadoc-0.9.5.4-1.mga7

from c3p0-0.9.5.4-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2019-12-23 17:05:46 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.Nothing found in wiki or previous bugs. Done a little googling and find some very interesting things on "connection pooling". Way out of my league.
I will not object OK'ing on clean install. Seeing no ill effects right now.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-12-23 18:29:49 CET 
Yeah, a clean update from the previous version will suffice here.
Comment 5 Thomas Andrews 2020-01-23 21:01:04 CET 
I should have checked back on this one much sooner. OKing on the basis on Herman's clean install, and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Lewis Smith 2020-01-27 19:52:45 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-28 08:54:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0051.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED