[SET-171] Update c3p0 to version 0.9.5.4 due to 3rd party vulnerability issues (CVE-2019-5427, CVE-2018-20433) - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.12.9
Fix Version/s: 1.12.10
Labels:
None

Description

Current Situation

Currently JOC Cockpit and JobScheduler uses the c3p0 connection pool version 0.9.5.2.
A number of vulnerabilities affect this version, see https://www.cvedetails.com/cve/CVE-2018-20433/ and https://www.cvedetails.com/cve/CVE-2019-5427/

Desired Behavior

Due to vulnerability Issues of older c3p0 releases the JOC Cockpit and JobScheduler should use the current version 0.9.5.4 that fixes the issues.

Maintainer Notes

Release 1.11 that includes c3p0 version 0.9.5.2 is at its end of life. Therefore no maintenance release is provided.
Users of release 1.11 should therefore upgrade to release 1.12.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Oliver Haufe

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24 April 2019 09:21

Updated:: 29 July 2020 21:31

Resolved:: 24 April 2019 09:47