dependabot[bot] opened a new pull request, #23788: URL: https://github.com/apache/camel/pull/23788
Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.13.0 to 0.14.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/swaldman/c3p0/blob/0.14.x/CHANGELOG";>com.mchange:c3p0's changelog</a>.</em></p> <blockquote> <p>c3p0-0.14.0 -- Update to mill 1.1.6 and fix broken support for reproducible builds via the SOURCE_DATE_EPOCH environment variable. -- Generate explicit BeanInfo classes for c3p0-defined concrete DataSource and ConnectionPoolDataSource implementations, which exclude "connection" and/or "pooledConnection" from introspected bean properties, in order to preclude attacks such as those described here: <a href="https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/";>https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/</a> -- Enforce a deterministic ordering on methods produced by the code generator DelegatorGenerator, in order to keep builds including such generated classes reproducible. (mchange-commons-java and c3p0 subclass) -- Define BeanInfoGen, a code-generation utility that defines explicit BeanInfo classes for what otherwise would have been introspected via JavaBean naming conventions, but that permits properties to be excluded from such introspection. (mchange-commons-java) -- JavaBeanObjectFactory now enforces a whitelist of classes it is willing to construct from References that call upon it. That whitelist is defined by new config parameter com.mchange.v2.naming.referenceableJavaBeanClassWhitelist (mchange-commons-java) -- Define false-biased config security key com.mchange.v2.naming.allowIndirectSerializationViaReference, disabling by default indirect serialization/deserialization of Referenceable but otherwise not serializable objects by serializing their references. This is a clever mechanism, but rarely used, and a place where attackers might smuggle a malicious reference. (mchange-commons-java) c3p0-0.13.0 -- Ensure sessions are marked as endRequest() is called prior to check-in, to eliminate race between DBMS cleanup and checkout by a new client. Thanks Krrish (ota0912 on github). -- Take generic JavaBeanObjectFactory out of the whitelist of object factories, com.mchange.v2.naming.objectFactoryWhitelist, mchange-commons-java ReferenceableUtils is willing to dereference. Only C3P0JavaBeanObjectFactory should be used. -- Modify C3P0JavaBeanObjectFactory to use C3P0JavaBeanReferencePropertyOverrider. -- Modify the JavaBeanReferenceMaker employed by c3p0 beans to use C3P0JavaBeanReferencePropertyOverrider -- Define C3P0JavaBeanReferencePropertyOverrider, supporting the serialization and deserialization of user-defined config key value pairs (the 'extensions' property) -- Add support for extensions, in the form of JavaBeanReferencePropertyOverrider, that allow javax.naming.Referenceable JavaBeans that include non-String, non-coerceable-to-string, non-SecurelyStringifiable properties to use some custom serialization to a Reference. Add support both the JavaBeanReferenceMaker and JavaBeanObjectFactory for supporting such extensions. -- Replace with a CSV format internal use of Java serialization by JavaBeanObjectFactory and JavaBeanReferenceMaker when tracking reference properties. [in mchange-commons-java] -- Eliminate support for decoding BinaryRefAddrs via Java (de)serialization in JavaBeanObjectFactory. The capability still exists, but one must explicitly extend JavaBeanObjectFactory in order to support it. No existing classes in c3p0 or mchange-commons-java now use Java serialization to unpickle objects from References. -- Add support for SecurelySerializable to c3p0's code-generated bean superclasses, and to the concrete derived beans as well. -- Define CsvSecurelyStringifiableBeangenGeneratorExtension to enable code-generated Java beans that support the new SecurelyStringifiable alternative serialization [in mchange-commons-java] -- When generating references with JavaBeanReferenceMaker, gate use of Java-serialization to define properties behind a new false-biased configuration parameter, com.mchange.v2.naming.generateSerializedObjectBinaryRefAddr. (This should almost never be reset to true.) [in mchange-commons-java] -- Define in com.mchange.v2.naming a SecurelyStringifiable mechanism, intended to replace the use of dangerous Java serialization in the construction of</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/swaldman/c3p0/commit/931fd53b695720adc4ac087e021b6de7daf0dd1b";><code>931fd53</code></a> Update test console scala version, versions for mchange-commons-java 0.6.0 fi...</li> <li><a href="https://github.com/swaldman/c3p0/commit/76cff33ae1b1106c7717e9ac1b0869b04fbcfebc";><code>76cff33</code></a> Extremely minor tweaks to tests.</li> <li><a href="https://github.com/swaldman/c3p0/commit/d35e3b14139dbde6b3ae5d31ea89f7977f53ad8b";><code>d35e3b1</code></a> Wrote release notes for 0.14.0.</li> <li><a href="https://github.com/swaldman/c3p0/commit/50c128a68af49c16d71c4b9fa963702cb0281b3f";><code>50c128a</code></a> Update CHANGELOG for 0.14.0, README.md fixes.</li> <li><a href="https://github.com/swaldman/c3p0/commit/d7ae528f7352912aa4d768db8884deab03630e6b";><code>d7ae528</code></a> Update README.md to track changes to the test.runClasspath task, when explain...</li> <li><a href="https://github.com/swaldman/c3p0/commit/2607761409a7205080e1bf5a1e1636896a491ea7";><code>2607761</code></a> Update README.md for 0.14.0, add to brief note re security fixes, describe re...</li> <li><a href="https://github.com/swaldman/c3p0/commit/0dfeb19a312e4d65b6ba0c7b378199e3e5064b1c";><code>0dfeb19</code></a> Make the output jar from our overridden sourceJar task 'out.jar' to match the...</li> <li><a href="https://github.com/swaldman/c3p0/commit/943f8ce8a9ae991cffa88a0de522996e4280bbe9";><code>943f8ce</code></a> Add a mill-update script and update the mill wrapper script.</li> <li><a href="https://github.com/swaldman/c3p0/commit/2bc04d72fdf7296d46aea6380e0cdd6048cdb8a4";><code>2bc04d7</code></a> Upgrade build to mill 1.1.6 and modify to support reproducible builds (of mai...</li> <li><a href="https://github.com/swaldman/c3p0/commit/ef8a6e98a53289b1a87319b0ebc7e00d5c550041";><code>ef8a6e9</code></a> Keep code-generation order deterministic by imposing a stable order on method...</li> <li>Additional commits viewable in <a href="https://github.com/swaldman/c3p0/compare/v0.13.0...v0.14.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
