diff --git a/src/dist-static/CHANGELOG b/src/dist-static/CHANGELOG index 2ac754e9..f54c912e 100644 --- a/src/dist-static/CHANGELOG +++ b/src/dist-static/CHANGELOG @@ -1,3 +1,12 @@ +c3p0-0.9.5.3 + -- Address CVE-2018-20433, https://nvd.nist.gov/vuln/detail/CVE-2018-20433 re liberal parsing of + XML config. By default, c3p0 no longer expands entity references in XML config files. This + behavior can be overridden via config property 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences' + by applications that understand the security concerns but wish to make use of entity references. + Thanks to user zhutougg on GitHub for calling attention to and suggesting a fix for this issue. + -- Upgrade dependency to mchange-commons-java 0.2.15, which includes support for log4j2 (implemented + in mchange-commons-java by GitHub user fireandfuel. Many thanks! + c3p0-0.9.5.2 -- Fix a bug in MLog bridge to slf4j logging, in which loggability of levels of wrapped loggers was misreported, leading to useless allocation of log Strings below the logging threshold. Grr. diff --git a/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.2 b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.2 new file mode 100644 index 00000000..007c5870 --- /dev/null +++ b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.2 @@ -0,0 +1,7 @@ +RELEASE NOTES, c3p0-0.9.5.2 +=========================== + ++ This minor bugfix release fixed a bug that caused useless allocation of below-logging-threshold + Strings, and added better debugging information on failed attempts to acquire database Connections. + + diff --git a/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.3 b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.3 new file mode 100644 index 00000000..35f05106 --- /dev/null +++ b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.3 @@ -0,0 +1,25 @@ +RELEASE NOTES, c3p0-0.9.5.3 +=========================== + ++ This minor bugfix release addresses a security issue: + + CVE-2018-20433, https://nvd.nist.gov/vuln/detail/CVE-2018-20433 + + The c3p0 parsed XML config files liberally, including resolving external + entity references. Incautious use of this feature could permit injection + of malicious config. Now c3p0 does not resolve external entity references + in its the XML config file. + + HOWEVER, in the EXCEEDINGLY RARE CASE that your configuration depends on + the old behavior, if you have UNDERSTOOD the security concern, you may + restore external entity resolution with the following config parameter + (in c3p0.properties, as HOCON config, or as a System property): + + com.mchange.v2.c3p0.cfg.xml.expandEntityReferences=true + + Thanks to user zhutougg on GitHub for calling attention to and suggesting + a fix for this issue. + ++ c3p0 now supports logging to log4j2. (Logging to the old, original log4j + library remains supported as well.) Thanks to user fireandfuel on GitHub + for implementing this feature! (In the mchange-commons-java library.)