Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves one vulnerability can now be installed.. # c3p0-0.14.1-1.1 on GA media Announcement ID: openSUSE-SU-2026:11166-1 Rating: moderate Cross-References: * CVE-2026-55223 Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the c3p0-0.14.1-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * c3p0 0.14.1-1.1 * c3p0-javadoc 0.14.1-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-55223.html . An update for openSUSE Tumbleweed's c3p0-0.14.1-1.1 addresses a moderate security issue, CVE-2026-55223.. openSUSE,c3p0,security update,threat mitigation,software vulnerabilities. . LinuxSecurity.com Team
An update that solves two vulnerabilities and has one security fix can now be installed.. # Security update for c3p0 and mchange-commons Announcement ID: SUSE-SU-2026:0855-1 Release Date: 2026-03-10T05:06:42Z Rating: important References: * bsc#1258913 * bsc#1258942 * bsc#1259313 Cross-References: * CVE-2026-27727 * CVE-2026-27830 CVSS scores: * CVE-2026-27727 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-27727 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-27727 ( NVD ): 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-27830 ( SUSE ): 8.9 CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2026-27830 ( SUSE ): 8.0 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H * CVE-2026-27830 ( NVD ): 8.9 CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.6 An update that solves two vulnerabilities and has one security fix can now be installed. ## Description: This update for c3p0 and mchange-commons fixes the following issues: c3p0: * Security issues fixed: * CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942) * Fix the null pointer exception in the userOverridesAsString method (bsc#1259313). mchange-commons: * Security issues fixed: * CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances (bsc#1258913) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patchSUSE-2026-855=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2026-855=1 ## Package List: * openSUSE Leap 15.4 (noarch) * c3p0-0.9.5.5-150400.3.5.1 * c3p0-javadoc-0.9.5.5-150400.3.5.1 * mchange-commons-javadoc-0.2.20-150400.3.3.1 * mchange-commons-0.2.20-150400.3.3.1 * openSUSE Leap 15.6 (noarch) * c3p0-0.9.5.5-150400.3.5.1 * c3p0-javadoc-0.9.5.5-150400.3.5.1 * mchange-commons-javadoc-0.2.20-150400.3.3.1 * mchange-commons-0.2.20-150400.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2026-27727.html * https://www.suse.com/security/cve/CVE-2026-27830.html * https://bugzilla.suse.com/show_bug.cgi?id=1258913 * https://bugzilla.suse.com/show_bug.cgi?id=1258942 * https://bugzilla.suse.com/show_bug.cgi?id=1259313 . Two important updates for c3p0 and mchange-commons address critical security issues on openSUSE systems.. openSUSE security update c3p0 mchange-commons. . LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # c3p0-0.12.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10279-1 Rating: moderate Cross-References: * CVE-2026-27727 CVSS scores: * CVE-2026-27727 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-27727 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the c3p0-0.12.0-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * c3p0 0.12.0-1.1 * c3p0-javadoc 0.12.0-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-27727.html . Update for c3p0 0.12.0-1.1 on openSUSE Tumbleweed fixes moderate vulnerabilities with high CVSS scores.. openSUSE update,c3p0 security fix,openSUSE vulnerabilities,update package,c3p0 access control. . LinuxSecurity.com Team
c3p0 could be made to crash if it opened a specially crafted file.. =========================================================================Ubuntu Security Notice USN-5293-1 February 21, 2022 c3p0 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: c3p0 could be made to crash if it opened a specially crafted file. Software Description: - c3p0: JDBC Connection pooling library Details: Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the application's XML configuration file could cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: libc3p0-java 0.9.1.2-10ubuntu0.21.10.1 Ubuntu 20.04 LTS: libc3p0-java 0.9.1.2-10ubuntu0.20.04.1 Ubuntu 18.04 LTS: libc3p0-java 0.9.1.2-9+deb8u1ubuntu0.18.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5293-1 CVE-2019-5427 Package Information: https://launchpad.net/ubuntu/+source/c3p0/0.9.1.2-10ubuntu0.21.10.1 https://launchpad.net/ubuntu/+source/c3p0/0.9.1.2-10ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/c3p0/0.9.1.2-9+deb8u1ubuntu0.18.04.1 . A c3p0 security flaw may result in app failure when handling certain documents. Ensure you upgrade your system to remedy this issue.. Ubuntu Update,c3p0 Security Advisory,Denial Of Service Crash,XML Configuration Issue. . LinuxSecurity.com Team
An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433). c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive . MGASA-2020-0051 - Updated c3p0 packages fix security vulnerabilities Publication date: 28 Jan 2020 URL: https://advisories.mageia.org/MGASA-2020-0051.html Type: security Affected Mageia releases: 7 CVE: CVE-2018-20433, CVE-2019-5427 An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433). c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration (CVE-2019-5427). References: - https://bugs.mageia.org/show_bug.cgi?id=25906 - https://lists.fedoraproject.org/archives/list/
Update to version 0.9.5.4. Resolves CVE-2018-20433 and CVE-2019-5427.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-063672154a 2019-05-29 02:59:05.245232 --------------------------------------------------------------------------------Name : c3p0 Product : Fedora 29 Version : 0.9.5.4 Release : 1.fc29 URL : https://github.com/swaldman/c3p0 Summary : JDBC DataSources/Resource Pools Description : c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 standard extension. --------------------------------------------------------------------------------Update Information: Update to version 0.9.5.4. Resolves CVE-2018-20433 and CVE-2019-5427. --------------------------------------------------------------------------------ChangeLog: * Tue May 14 2019 Alexander Scheel - 0.9.5.4-1 - Updated version number to match Fedora Packaging Standards - Rebase to upstream release 0.9.5.4 - Resolves rhbz#1709861 / CVE-2019-5427 --------------------------------------------------------------------------------References: [ 1 ] Bug #1664730 - CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1664730 [ 2 ] Bug #1709861 - CVE-2019-5427 c3p0: loading XML configuration leads to denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1709861 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-063672154a' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with theFedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Update to version 0.9.5.4. Resolves CVE-2018-20433 and CVE-2019-5427.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-cb14e234fc 2019-05-29 00:48:54.205181 --------------------------------------------------------------------------------Name : c3p0 Product : Fedora 30 Version : 0.9.5.4 Release : 1.fc30 URL : https://github.com/swaldman/c3p0 Summary : JDBC DataSources/Resource Pools Description : c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 standard extension. --------------------------------------------------------------------------------Update Information: Update to version 0.9.5.4. Resolves CVE-2018-20433 and CVE-2019-5427. --------------------------------------------------------------------------------ChangeLog: * Tue May 14 2019 Alexander Scheel - 0.9.5.4-1 - Updated version number to match Fedora Packaging Standards - Rebase to upstream release 0.9.5.4 - Resolves rhbz#1709861 / CVE-2019-5427 --------------------------------------------------------------------------------References: [ 1 ] Bug #1709861 - CVE-2019-5427 c3p0: loading XML configuration leads to denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1709861 [ 2 ] Bug #1664730 - CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1664730 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-cb14e234fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with theFedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
A XML External Entity (XXE) vulnerability was discovered in c3p0, a library for JDBC connection pooling, that may be used to resolve information outside of the intended sphere of control. . Package : c3p0 Version : 0.9.1.2-9+deb8u1 CVE ID : CVE-2018-20433 Debian Bug : 917257 A XML External Entity (XXE) vulnerability was discovered in c3p0, a library for JDBC connection pooling, that may be used to resolve information outside of the intended sphere of control. For Debian 8 "Jessie", this problem has been fixed in version 0.9.1.2-9+deb8u1. We recommend that you upgrade your c3p0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Package : c3p0 Version : 0.9.1.2-9+deb8u1 CVE ID : CVE-2018-20433 Debian Bug : 917257 A XML External. external, entity, (xxe), vulnerability, library, connection. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.