CVE-2019-5427 (https://nvd.nist.gov/vuln/detail/CVE-2019-5427): c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a412428273d4599a10dc6d15e926a35d61bf0bc3 commit a412428273d4599a10dc6d15e926a35d61bf0bc3 Author: Yuan Liao <liaoyuan@gmail.com> AuthorDate: 2022-01-13 22:46:12 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-01-15 09:28:33 +0000 dev-java/c3p0: Add 0.9.5.5 with EAPI 8, updated HOMEPAGE and LICENSE Closes: https://bugs.gentoo.org/719144 Bug: https://bugs.gentoo.org/830920 Signed-off-by: Yuan Liao <liaoyuan@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/23793 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/c3p0/Manifest | 1 + dev-java/c3p0/c3p0-0.9.5.5.ebuild | 57 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+)
reverting back to confirmed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e0cece5233dfea8da2e61d0db9d96456af2e0c2 commit 8e0cece5233dfea8da2e61d0db9d96456af2e0c2 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-01-18 18:37:03 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-01-18 18:37:03 +0000 dev-java/c3p0: removed obsolete and vulnerable 0.9.5.1 Bug: https://bugs.gentoo.org/719144 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/c3p0/Manifest | 1 - dev-java/c3p0/c3p0-0.9.5.1.ebuild | 59 --------------------------------------- 2 files changed, 60 deletions(-)
the tree is clean now, you can proceed.
Thank you!
