Your message dated Mon, 04 May 2026 17:02:48 +0000
with message-id <[email protected]>
and subject line Bug#927936: fixed in c3p0 0.9.1.2-10.1~deb12u1
has caused the Debian Bug report #927936,
regarding c3p0: CVE-2019-5427
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927936
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: c3p0
Version: 0.9.1.2-10
Severity: important
Tags: security upstream
Control: found -1 0.9.1.2-9+deb9u1
Control: found -1 0.9.1.2-9
Hi,
The following vulnerability was published for c3p0.
CVE-2019-5427[0]:
| c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack
| when loading XML configuration due to missing protections against
| recursive entity expansion when loading configuration.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
[1] https://hackerone.com/reports/509315
[2]
https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: c3p0
Source-Version: 0.9.1.2-10.1~deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
c3p0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated c3p0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 May 2026 14:56:32 +0300
Source: c3p0
Architecture: source
Version: 0.9.1.2-10.1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 927936
Changes:
c3p0 (0.9.1.2-10.1~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm
.
c3p0 (0.9.1.2-10.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Backport fix for CVE-2019-5427. (Closes: #927936)
Checksums-Sha1:
51cfe6b4a9371d7ea9f5f748e8169338cd635b7b 2154 c3p0_0.9.1.2-10.1~deb12u1.dsc
bd0e67549d91dc7fee5648f72a316ef809a1bbf0 11916
c3p0_0.9.1.2-10.1~deb12u1.debian.tar.xz
Checksums-Sha256:
5a1bd690a02c7ca9d8b67f1e82a6898ff991a2af689656c0548236481beed293 2154
c3p0_0.9.1.2-10.1~deb12u1.dsc
aa44c1ec7853d111bb64c5f108616ab0793777a33191976bf4ad4cb21773ec86 11916
c3p0_0.9.1.2-10.1~deb12u1.debian.tar.xz
Files:
5a9eddabb5773e9c0be5e83c0cf3e3db 2154 java optional
c3p0_0.9.1.2-10.1~deb12u1.dsc
dad738f36d3df6b93aa93c65d9a59af7 11916 java optional
c3p0_0.9.1.2-10.1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn4i6cACgkQiNJCh6LY
mLHRZA//ebiWggwQIc0hVAbpb5cum65MK7mPdhro7CSLD7E6lWMEU2OWjc9MEK1S
Rw5O2kE5huOTQuj8ZEWXNktLqoYdX2xc3bJf7OB5vuqrOKiVhxeRfEo3uUnEKGRU
oJoFfVBo984u+6XmleZOMH6VB978LFSrXDPdqG4ppAruv6exOrV+Ip1ZhBGKRxJv
cx70V9r/gNIPxMCIO7sDV8kC+LsLM0+gSyiJeUkBGYNjtQIxNhLMGsOGFqutL26d
4LzR0eDUxzFxDm+VHZO2PJ/4XfqI/WmcM56Y3l7Uj6kR4Uhdp/AXu5FymS5oig7l
5ZRq0CubAA87o2FSPnh4faLWEz9TYL+gbutvBV6/2hNW1vy1Cyw5odlhd04AYGHC
E3q2bLNhBtRJGOHFschBDMFv9SbSerhZuwJVfAnDWdPjlFc3sZ/E0Efan2i7E/FH
TGEwALJiCZz1F+QJOtKx5SCfYh1XyOsdSdYiPyuGJ31zrgtSNRp8fitG/M6+/3zn
/X5MRxoqK7TOl0uEf7YpLqtz1vg/L0DPe5dezB3bvYZqgte8PmE/kXlWunmeU5c3
9l9NurfQ5tCa6CJezFIS6VN+Qo2YKc0vLuTV2iQC7ly6IIxkF+xZezTEsKoGNo0n
qHAOhhmusAfLgi9AeOoU8+kWwUIyK3NAX9u0ybMsZ9TNS4l0onI=
=zY+V
-----END PGP SIGNATURE-----
pgpa8rYr8hhU2.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
