25906 – c3p0 new security issues CVE-2018-20433 and CVE-2019-5427

Bug 25906 - c3p0 new security issues CVE-2018-20433 and CVE-2019-5427

Summary: c3p0 new security issues CVE-2018-20433 and CVE-2019-5427

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-12-19 22:02 CET by David Walser
Modified:	2020-01-28 08:54 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	c3p0-0.9.5-0.5.pre8.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-19 22:02:00 CET

Fedora has issued an advisory on May 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

It was already fixed in Cauldron and the CVE is even in the changelog entry but there was no bug report.  Please make sure we have a bug when you're aware of a CVE.

The issues are fixed upstream in 0.9.5.4.

Comment 1 David GEIGER 2019-12-22 09:02:23 CET

Done for mga7!

Comment 2 David Walser 2019-12-22 14:21:17 CET

Advisory:
========================

Updated c3p0 packages fix security vulnerabilities:

An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading
XML configuration due to missing protections against recursive entity expansion
when loading configuration (CVE-2019-5427).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
========================

Updated packages in core/updates_testing:
========================
c3p0-0.9.5.4-1.mga7
c3p0-javadoc-0.9.5.4-1.mga7

from c3p0-0.9.5.4-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2019-12-23 17:05:46 CET

MGA7-64 Plasma on Lenovo B50
No installation issues.Nothing found in wiki or previous bugs. Done a little googling and find some very interesting things on "connection pooling". Way out of my league.
I will not object OK'ing on clean install. Seeing no ill effects right now.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-12-23 18:29:49 CET

Yeah, a clean update from the previous version will suffice here.

Comment 5 Thomas Andrews 2020-01-23 21:01:04 CET

I should have checked back on this one much sooner. OKing on the basis on Herman's clean install, and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Lewis Smith 2020-01-27 19:52:45 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-28 08:54:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0051.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.