MGASA-2020-0051 - Updated c3p0 packages fix security vulnerabilities

Publication date: 28 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0051.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2018-20433,
     CVE-2019-5427

An XML external entity processing vulnerability was found in
extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433).

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when
loading XML configuration due to missing protections against recursive
entity expansion when loading configuration (CVE-2019-5427).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25906
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427

SRPMS:
- 7/core/c3p0-0.9.5.4-1.mga7