Fedora has issued an advisory on May 29:
It was already fixed in Cauldron and the CVE is even in the changelog entry but there was no bug report. Please make sure we have a bug when you're aware of a CVE.
The issues are fixed upstream in 0.9.5.4.
Done for mga7!
Updated c3p0 packages fix security vulnerabilities:
An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading
XML configuration due to missing protections against recursive entity expansion
when loading configuration (CVE-2019-5427).
Updated packages in core/updates_testing:
MGA7-64 Plasma on Lenovo B50
No installation issues.Nothing found in wiki or previous bugs. Done a little googling and find some very interesting things on "connection pooling". Way out of my league.
I will not object OK'ing on clean install. Seeing no ill effects right now.
Yeah, a clean update from the previous version will suffice here.
I should have checked back on this one much sooner. OKing on the basis on Herman's clean install, and validating. Advisory in Comment 2.