Markus Koschany pushed to branch master at Debian Java Maintainers / c3p0
Commits: 088ce05f by Markus Koschany at 2018-12-25T14:07:16Z Switch to compat level 10 - - - - - 509aeba1 by Markus Koschany at 2018-12-25T14:07:37Z Use https for Format field. - - - - - 8cdcf880 by Markus Koschany at 2018-12-25T14:07:52Z Declare compliance with Debian Policy 4.3.0. - - - - - e4eb553d by Markus Koschany at 2018-12-25T14:08:22Z Use canonical VCS URI. - - - - - 562eda27 by Markus Koschany at 2018-12-25T14:11:18Z Rename README.Debian-source to README.source - - - - - b152f5ec by Markus Koschany at 2018-12-25T14:15:39Z Fix CVE-2018-20433. Thanks: Salvatore Bonaccorso for the report. Closes: #917257 - - - - - ee10d59c by Markus Koschany at 2018-12-25T14:18:09Z Update changelog - - - - - de80a715 by Markus Koschany at 2018-12-25T14:21:28Z Don't forget to apply the security patch. - - - - - b9e285c2 by Markus Koschany at 2018-12-25T14:25:19Z Install the documentation into canonical directory. - - - - - 5cd08b70 by Markus Koschany at 2018-12-25T14:27:13Z Rename libc3p0-java-doc.docs to libc3p0-java-doc.install because we need dh_install to create the directory - - - - - 11 changed files: - debian/README.Debian-source → debian/README.source - debian/changelog - debian/compat - debian/control - debian/copyright - debian/libc3p0-java-doc.doc-base - − debian/libc3p0-java-doc.docs - + debian/libc3p0-java-doc.install - + debian/patches/CVE-2018-20433.patch - debian/patches/series - debian/rules Changes: ===================================== debian/README.Debian-source → debian/README.source ===================================== ===================================== debian/changelog ===================================== @@ -1,10 +1,21 @@ -c3p0 (0.9.1.2-10) UNRELEASED; urgency=medium +c3p0 (0.9.1.2-10) unstable; urgency=medium * Team upload. - * Moved the package to Git - * Bump Standards-Version to 3.9.6 (no changes) - -- tony mancill <[email protected]> Wed, 25 Nov 2015 22:10:31 -0800 + [ tony mancill ] + * Moved the package to Git. + + [ Markus Koschany ] + * Switch to compat level 10. + * Use https for Format field. + * Declare compliance with Debian Policy 4.3.0. + * Use canonical VCS URI. + * Rename README.Debian-source to README.source + * Fix CVE-2018-20433. + Thanks to Salvatore Bonaccorso for the report. (Closes: #917257) + * Install the documentation into canonical directory. + + -- Markus Koschany <[email protected]> Tue, 25 Dec 2018 15:16:25 +0100 c3p0 (0.9.1.2-9) unstable; urgency=medium ===================================== debian/compat ===================================== @@ -1 +1 @@ -9 +10 ===================================== debian/control ===================================== @@ -3,11 +3,11 @@ Section: java Priority: optional Maintainer: Debian Java Maintainers <[email protected]> Uploaders: Varun Hiremath <[email protected]>, Emmanuel Bourg <[email protected]> -Build-Depends: debhelper (>= 9), cdbs, maven-repo-helper, default-jdk +Build-Depends: debhelper (>= 10), cdbs, maven-repo-helper, default-jdk Build-Depends-Indep: ant, liblog4j1.2-java, ant-optional, junit, libhsqldb-java -Standards-Version: 3.9.6 -Vcs-Git: git://anonscm.debian.org/pkg-java/c3p0.git -Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/c3p0.git +Standards-Version: 4.3.0 +Vcs-Git: https://salsa.debian.org/java-team/c3p0.git +Vcs-Browser: https://salsa.debian.org/java-team/c3p0 Homepage: http://sourceforge.net/projects/c3p0 Package: libc3p0-java ===================================== debian/copyright ===================================== @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: c3p0 Upstream-Contact: Steve Waldman <[email protected]> Source: https://sourceforge.net/projects/c3p0 ===================================== debian/libc3p0-java-doc.doc-base ===================================== @@ -6,5 +6,5 @@ Abstract: This is the programmer API of c3p0, a library for JDBC Section: Programming Format: HTML -Index: /usr/share/doc/libc3p0-java-doc/api/index.html -Files: /usr/share/doc/libc3p0-java-doc/api/*.html +Index: /usr/share/doc/libc3p0-java/api/index.html +Files: /usr/share/doc/libc3p0-java/api/*.html ===================================== debian/libc3p0-java-doc.docs deleted ===================================== @@ -1 +0,0 @@ -build/api ===================================== debian/libc3p0-java-doc.install ===================================== @@ -0,0 +1 @@ +build/api usr/share/doc/libc3p0-java/ ===================================== debian/patches/CVE-2018-20433.patch ===================================== @@ -0,0 +1,22 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 25 Dec 2018 15:14:04 +0100 +Subject: CVE-2018-20433 + +Bug-Debian: https://bugs.debian.org/917257 +Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b +--- + src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java +index 3878e89..4a75bd8 100644 +--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java ++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java +@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils + public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception + { + DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance(); ++ fact.setExpandEntityReferences(false); + DocumentBuilder db = fact.newDocumentBuilder(); + Document doc = db.parse( is ); + ===================================== debian/patches/series ===================================== @@ -1,3 +1,4 @@ build.patch testing.patch java-7-compat.patch +CVE-2018-20433.patch ===================================== debian/rules ===================================== @@ -7,7 +7,7 @@ include /usr/share/cdbs/1/class/ant.mk JAVA_HOME := /usr/lib/jvm/default-java DEB_JARS := log4j1.2 junit ant-junit hsql -DEB_ANT_BUILD_TARGET := jar javadocs junit-tests +DEB_ANT_BUILD_TARGET := jar javadocs junit-tests DEB_INSTALL_CHANGELOGS_ALL := src/dist-static/CHANGELOG clean:: View it on GitLab: https://salsa.debian.org/java-team/c3p0/compare/eeafd0e2aec3310da4b1bf8726982f13dc11f8fd...5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2 -- View it on GitLab: https://salsa.debian.org/java-team/c3p0/compare/eeafd0e2aec3310da4b1bf8726982f13dc11f8fd...5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
