You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "dependabot[bot] (via GitHub)" <gi...@apache.org> on 2024/02/16 05:05:44 UTC
[PR] Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 [tika]
dependabot[bot] opened a new pull request, #1600:
URL: https://github.com/apache/tika/pull/1600
Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.9.5.5 to 0.10.0-pre1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/swaldman/c3p0/blob/v0.10.0-pre1/CHANGELOG">com.mchange:c3p0's changelog</a>.</em></p>
<blockquote>
<p>c3p0-0.10.0-pre1
-- Fix doc comments no longer acceptable under persnicketty JDK 11
-- Build with JDK 11 JVM (still emitting JDK 1.6 compatible sources)
-- Get tests working under new mill build
-- Reorganize to switch build from ant to mill
-- Update to mchange-commons-java 0.2.20
c3p0-0.9.5.5
-- Update docs to describe new com.mchange.v2.log.MLog.useRedirectableLoggers setting, implemented
in mchange-commons-java 0.2.19
-- Update to mchange-commons-java 0.2.19
-- Properly implement the JDBC 4.1 abort method. Thanks to Andrew Johnson for calling attention
to this issue.
c3p0-0.9.5.4
-- Disabling entity expansions, as we did in v.0.9.5.3 turns out not to be sufficient to prevent all
XML-config parsing related attacks (if an attacker can control the XML config file that will be
parsed). We now make XML parsing much more restrictove by default, but allow users to revert to the
old, permissive pre-0.9.5.3 behavior by setting config property 'com.mchange.v2.c3p0.cfg.xml.usePermissiveParser'
to true. That property replaces and leaves deprecated the 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences'
property introduced on 0.9.5.3. Many thanks to Aaron Massey (amassey) at HackerOne for calling attention
to the continued vulnerability of XML parsing to these kinds of attacks.
-- Address situation where a throwable during forceKillAcquires() left the force_kill_acquires flag
set to true, making it impossible for the pool to restart acquisition attempts on recovery. We
now unset the flag under any circumstance, but log interrupts or unexpected throwables, and make
a best effort to complete the intended expiration of waiting clients by throwing InterruptException
Many thanks to Stefan Cordes (rscadrde on github), Vipin Nair (swvist on github), and Łukasz Jąder
(ljader on github) for their work on this issue.
c3p0-0.9.5.3
-- Address CVE-2018-20433, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-20433">https://nvd.nist.gov/vuln/detail/CVE-2018-20433</a> re liberal parsing of
XML config. By default, c3p0 no longer expands entity references in XML config files. This
behavior can be overridden via config property 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences'
by applications that understand the security concerns but wish to make use of entity references.
Thanks to user zhutougg on GitHub for calling attention to and suggesting a fix for this issue.
-- Upgrade dependency to mchange-commons-java 0.2.15, which includes support for log4j2 (implemented
in mchange-commons-java by GitHub user fireandfuel. Many thanks!</p>
<p>c3p0-0.9.5.2
-- Fix a bug in MLog bridge to slf4j logging, in which loggability of levels of wrapped loggers
was misreported, leading to useless allocation of log Strings below the logging threshold. Grr.
[change is in mchange-commons-java 0.2.11]. Many thanks to Lewis Wong on Stack Exchange for calling
attention to this issue.
-- Embed last acquistion failure as nested Exception in CannotAcquireResourceException. Thanks to
nigam on github for this addition.
c3p0-0.9.5.1
-- Implemented configuration property com.mchange.v2.c3p0.impl.DefaultConnectionTester.isValidTimeout
to define timeouts on tests based on Connection.isValid(...). Many thanks to james-hu on github
for suggesting this.
-- Added a forceSynchronousCheckins config param, which can be a significant performance boost
if no tests are performed on checkin and no long work is performed in ConnectionCustomizer.onCheckIn(...).
The parameter is particularly useful for installations in which the Thread pool is under stress,
as it permits prompt checkins without use of the Thread pool, and helps reduce Thread pool congestion.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/swaldman/c3p0/commit/df2b44d286d1c33e726a250caa5c164ce9f226e9"><code>df2b44d</code></a> Update version number for 0.10.0-pre1 final.</li>
<li><a href="https://github.com/swaldman/c3p0/commit/c52a8d91d7f8e50228ea6d57ea29c7122d0d6468"><code>c52a8d9</code></a> Tweak README.md</li>
<li><a href="https://github.com/swaldman/c3p0/commit/55e6f53b794c466dfb4f9b8daf611fab95127a1c"><code>55e6f53</code></a> Tweak README.md</li>
<li><a href="https://github.com/swaldman/c3p0/commit/5f49269c0703747029f4773189ddeb47e440baa5"><code>5f49269</code></a> More work on README.md and CHANGELOG.</li>
<li><a href="https://github.com/swaldman/c3p0/commit/21eea099d2ec2cc9fbae8fbb272b50089d213085"><code>21eea09</code></a> Work on README.md; get docJar working under Java 11 persnicketty tooling.</li>
<li><a href="https://github.com/swaldman/c3p0/commit/b24af8da5367067956002577a94c3596c0d8ccd7"><code>b24af8d</code></a> Compile Java 6 compatible classfiles (against newer API!)</li>
<li><a href="https://github.com/swaldman/c3p0/commit/bf886752d68ea2834715a5a9eae4378816a56fc7"><code>bf88675</code></a> Get all tests working.</li>
<li><a href="https://github.com/swaldman/c3p0/commit/d792689ef3664d7abe81dab6c5e083c08e4c865e"><code>d792689</code></a> Add more tests and hints on variations of tests.</li>
<li><a href="https://github.com/swaldman/c3p0/commit/f6b1ce95d1d0c279542bc0e0aa93f7ab18e1b5d4"><code>f6b1ce9</code></a> Get C3P0BenchmarkApp running, add careful conditional logic to minimize unnec...</li>
<li><a href="https://github.com/swaldman/c3p0/commit/0d37f26159796fc5b3307213ecd3b98c9cac4bb4"><code>0d37f26</code></a> Add minimal .gitignore</li>
<li>Additional commits viewable in <a href="https://github.com/swaldman/c3p0/compare/c3p0-0.9.5.5...v0.10.0-pre1">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@tika.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 [tika]
Posted by "THausherr (via GitHub)" <gi...@apache.org>.
THausherr commented on PR #1600:
URL: https://github.com/apache/tika/pull/1600#issuecomment-1948003211
Closing this one because it's a pre-release. However it builds here and at home on Windows, also for 2.x.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@tika.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 [tika]
Posted by "THausherr (via GitHub)" <gi...@apache.org>.
THausherr closed pull request #1600: Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1
URL: https://github.com/apache/tika/pull/1600
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@tika.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 [tika]
Posted by "dependabot[bot] (via GitHub)" <gi...@apache.org>.
dependabot[bot] commented on PR #1600:
URL: https://github.com/apache/tika/pull/1600#issuecomment-1948003267
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@tika.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org