Bug 25906 - c3p0 new security issues CVE-2018-20433 and CVE-2019-5427
Summary: c3p0 new security issues CVE-2018-20433 and CVE-2019-5427
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-19 22:02 CET by David Walser
Modified: 2020-01-27 19:52 CET (History)
4 users (show)

See Also:
Source RPM: c3p0-0.9.5-0.5.pre8.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-12-19 22:02:00 CET
Fedora has issued an advisory on May 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

It was already fixed in Cauldron and the CVE is even in the changelog entry but there was no bug report.  Please make sure we have a bug when you're aware of a CVE.

The issues are fixed upstream in 0.9.5.4.
Comment 1 David GEIGER 2019-12-22 09:02:23 CET
Done for mga7!
Comment 2 David Walser 2019-12-22 14:21:17 CET
Advisory:
========================

Updated c3p0 packages fix security vulnerabilities:

An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading
XML configuration due to missing protections against recursive entity expansion
when loading configuration (CVE-2019-5427).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
========================

Updated packages in core/updates_testing:
========================
c3p0-0.9.5.4-1.mga7
c3p0-javadoc-0.9.5.4-1.mga7

from c3p0-0.9.5.4-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2019-12-23 17:05:46 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.Nothing found in wiki or previous bugs. Done a little googling and find some very interesting things on "connection pooling". Way out of my league.
I will not object OK'ing on clean install. Seeing no ill effects right now.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-12-23 18:29:49 CET
Yeah, a clean update from the previous version will suffice here.
Comment 5 Thomas Andrews 2020-01-23 21:01:04 CET
I should have checked back on this one much sooner. OKing on the basis on Herman's clean install, and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Lewis Smith 2020-01-27 19:52:45 CET

Keywords: (none) => advisory


Note You need to log in before you can comment on or make changes to this bug.