Package: c3p0 / 0.9.1.2-9+deb9u1

CVE-2018-20433.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
From: Markus Koschany <apo@debian.org>
Date: Tue, 25 Dec 2018 15:14:04 +0100
Subject: CVE-2018-20433

Bug-Debian: https://bugs.debian.org/917257
Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
---
 src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
index 3878e89..4a75bd8 100644
--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
     {
         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+	fact.setExpandEntityReferences(false);
         DocumentBuilder db = fact.newDocumentBuilder();
         Document doc = db.parse( is );