Overview

File _patchinfo of Package patchinfo.43042

<patchinfo incident="43042">
  <issue tracker="bnc" id="1259313">UI is down with 404 with new c3p0 mchange-commons update</issue>
  <issue tracker="cve" id="2026-27727"/>
  <issue tracker="bnc" id="1258913">VUL-0: CVE-2026-27727: mchange-commons,c3p0: download and execution of malicious code triggered by  read of a maliciously crafted javax.naming.Reference or serialized object</issue>
  <issue tracker="cve" id="2026-27830"/>
  <issue tracker="bnc" id="1258942">VUL-0: CVE-2026-27830: c3p0: deserialization via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances</issue>
  <packager>admehmood</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for c3p0 and mchange-commons</summary>
  <description>This update for c3p0 and mchange-commons fixes the following issues:

c3p0:
    
- Security issues fixed:

  - CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942)

- Fix the null pointer exception in the userOverridesAsString
  method (bsc#1259313).
    
mchange-commons:

- Security issues fixed:

  - CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances (bsc#1258913)

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places