Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package c3p0 for openSUSE:Factory checked in 
at 2026-07-01 21:08:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/c3p0 (Old)
 and      /work/SRC/openSUSE:Factory/.c3p0.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "c3p0"

Wed Jul  1 21:08:46 2026 rev:10 rq:1363016 version:0.14.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/c3p0/c3p0.changes        2026-03-04 
21:04:23.158371642 +0100
+++ /work/SRC/openSUSE:Factory/.c3p0.new.11887/c3p0.changes     2026-07-01 
21:08:51.905179648 +0200
@@ -1,0 +2,90 @@
+Wed Jul  1 14:16:55 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Upgrade to upstream version 0.14.1
+  * Changes in version 0.14.1
+    + Modify c3p0 to use new BeanInfoGen functionality, restoring
+      compatibility with Java [7,11).
+    + Modify BeanInfoGen to (optionally, but by default) cache
+      descriptors rather than regenerating them for each call to an
+      introspection method.
+    + Modify BeanInfoGen to log items skipped from descriptors due
+      to API incompatibility.
+    + Modify BeanInfoGen to generate BeanInfo classes in which
+      properties/events/methods that existed in the JVM under which
+      they were generated and built, but do not exist under the
+      runtime JVM, are tolerated and simply omitted at runtime from
+      BeanInfo descriptors. This fixes compatibility with Java
+      environments before Java 11, under whose API c3p0 and
+      mchange-commons-java are currently built.
+  * Changes in 0.14.0
+    + Update to mill 1.1.6 and fix broken support for reproducible
+      builds via the SOURCE_DATE_EPOCH environment variable.
+    + Generate explicit BeanInfo classes for c3p0-defined concrete
+      DataSource and ConnectionPoolDataSource implementations, which
+      exclude "connection" and/or "pooledConnection" from
+      introspected bean properties, in order to preclude attacks.
+      (bsc#1269941, CVE-2026-55223)
+    + Enforce a deterministic ordering on methods produced by the
+      code generator DelegatorGenerator, in order to keep builds
+      including such generated classes reproducible.
+    + Define BeanInfoGen, a code-generation utility that defines
+      explicit BeanInfo classes for what otherwise would have been
+      introspected via JavaBean naming conventions, but permits
+      properties to be excluded from such introspection.
+    + JavaBeanObjectFactory now enforces an allowlist of classes it
+      is willing to construct from References that call upon it.
+      That allowlist is defined by the new config parameter
+      com.mchange.v2.naming.referenceableJavaBeanClassWhitelist
+    + Define the false-biased config security key
+      com.mchange.v2.naming.allowIndirectSerializationViaReference,
+      disabling by default indirect serialization/deserialization of
+      Referenceable but otherwise non-serializable objects by
+      serializing their references. This is a clever mechanism, but
+      it is rarely used and provides a place where attackers might
+      smuggle a malicious reference.
+  * Changes in 0.13.0
+    + Ensure sessions are marked as endRequest() is called prior to
+      check-in, to eliminate a race condition between DBMS cleanup
+      and checkout by a new client.
+    + Remove the generic JavaBeanObjectFactory from the allowlist of
+      object factories, com.mchange.v2.naming.objectFactoryWhitelist,
+      that mchange-commons-java ReferenceableUtils is willing to
+      dereference. Only C3P0JavaBeanObjectFactory should be used.
+    + Modify C3P0JavaBeanObjectFactory to use
+      C3P0JavaBeanReferencePropertyOverrider.
+    + Modify the JavaBeanReferenceMaker employed by c3p0 beans to use
+      C3P0JavaBeanReferencePropertyOverrider.
+    + Define C3P0JavaBeanReferencePropertyOverrider, supporting the
+      serialization and deserialization of user-defined config
+      key-value pairs (the 'extensions' property).
+    + Add support for extensions, in the form of
+      JavaBeanReferencePropertyOverrider, that allow
+      javax.naming.Referenceable JavaBeans that include non-String,
+      non-coercible-to-string, non-SecurelyStringifiable properties
+      to use custom serialization to a Reference. Add support for
+      such extensions to both the JavaBeanReferenceMaker and
+      JavaBeanObjectFactory.
+    + Replace the internal use of Java serialization by
+      JavaBeanObjectFactory and JavaBeanReferenceMaker with a CSV
+      format when tracking reference properties.
+    + Eliminate support for decoding BinaryRefAddrs via Java
+      (de)serialization in JavaBeanObjectFactory. The capability
+      still exists, but one must explicitly extend
+      JavaBeanObjectFactory in order to support it. No existing
+      classes in c3p0 or mchange-commons-java now use Java
+      serialization to unpickle objects from References.
+    + Add support for SecurelySerializable to c3p0's code-generated
+      bean superclasses, as well as to the concrete derived beans.
+    + Define CsvSecurelyStringifiableBeangenGeneratorExtension to
+      enable code-generated Java beans that support the new
+      SecurelyStringifiable alternative serialization.
+    + When generating references with JavaBeanReferenceMaker, gate
+      the use of Java serialization to define properties behind a
+      new false-biased configuration parameter,
+      com.mchange.v2.naming.generateSerializedObjectBinaryRefAddr.
+      (This should almost never be reset to true.)
+    + Define a SecurelyStringifiable mechanism in com.mchange.v2
+      .naming, intended to replace the use of dangerous Java
+      serialization in the construction of references.
+
+-------------------------------------------------------------------

Old:
----
  c3p0-0.12.0-sources.jar
  c3p0-0.12.0.pom

New:
----
  c3p0-0.14.1-sources.jar
  c3p0-0.14.1.pom

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ c3p0.spec ++++++
--- /var/tmp/diff_new_pack.m5SqXL/_old  2026-07-01 21:08:52.717207408 +0200
+++ /var/tmp/diff_new_pack.m5SqXL/_new  2026-07-01 21:08:52.717207408 +0200
@@ -18,7 +18,7 @@
 
 
 Name:           c3p0
-Version:        0.12.0
+Version:        0.14.1
 Release:        0
 Summary:        JDBC DataSources/Resource Pools
 License:        LGPL-2.0-or-later
@@ -31,7 +31,7 @@
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 11
 BuildRequires:  javapackages-local >= 6
-BuildRequires:  mchange-commons >= 0.4.0
+BuildRequires:  mchange-commons >= 0.6.0
 BuildRequires:  unzip
 BuildArch:      noarch
 

++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.m5SqXL/_old  2026-07-01 21:08:52.757208775 +0200
+++ /var/tmp/diff_new_pack.m5SqXL/_new  2026-07-01 21:08:52.761208912 +0200
@@ -1,6 +1,6 @@
-mtime: 1772601473
-commit: 4a46c7164fec6b02e96a35a00d859e74035d7343d65e8830434140447e45b789
-url: https://src.opensuse.org/java-packages/c3p0.git
-revision: 4a46c7164fec6b02e96a35a00d859e74035d7343d65e8830434140447e45b789
+mtime: 1782917269
+commit: baad8ef88d9239e44bc3c43645a3579a5a03840bf54ddfae3094004a57dedccb
+url: https://src.opensuse.org/java-packages/c3p0
+revision: baad8ef88d9239e44bc3c43645a3579a5a03840bf54ddfae3094004a57dedccb
 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj
 

++++++ build.specials.obscpio ++++++

++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore      1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore      2026-07-01 16:47:49.000000000 +0200
@@ -0,0 +1 @@
+.osc

++++++ c3p0-0.12.0.pom -> c3p0-0.14.1.pom ++++++
--- /work/SRC/openSUSE:Factory/c3p0/c3p0-0.12.0.pom     2026-03-04 
21:04:23.130370485 +0100
+++ /work/SRC/openSUSE:Factory/.c3p0.new.11887/c3p0-0.14.1.pom  2026-07-01 
21:08:51.705172810 +0200
@@ -7,16 +7,16 @@
     <artifactId>c3p0</artifactId>
     <packaging>jar</packaging>
     <description>A mature JDBC3+ Connection pooling library</description>
-    <version>0.12.0</version>
+    <version>0.14.1</version>
     <url>https://www.mchange.com/projects/c3p0</url>
     <licenses>
         <license>
-            <name>LGPL-2.1-or-later</name>
+            <name>GNU Lesser General Public License v2.1 or later</name>
             <url>https://spdx.org/licenses/LGPL-2.1-or-later.html</url>
             <distribution>repo</distribution>
         </license>
         <license>
-            <name>EPL-1.0</name>
+            <name>Eclipse Public License 1.0</name>
             <url>https://spdx.org/licenses/EPL-1.0.html</url>
             <distribution>repo</distribution>
         </license>
@@ -31,13 +31,14 @@
             <id>swaldman</id>
             <name>Steve Waldman</name>
             <url>https://github.com/swaldman</url>
+            <email></email>
         </developer>
     </developers>
     <dependencies>
         <dependency>
             <groupId>com.mchange</groupId>
             <artifactId>mchange-commons-java</artifactId>
-            <version>0.4.0</version>
+            <version>0.6.1</version>
         </dependency>
     </dependencies>
 </project>

++++++ c3p0-build.xml ++++++
--- /var/tmp/diff_new_pack.m5SqXL/_old  2026-07-01 21:08:52.985216570 +0200
+++ /var/tmp/diff_new_pack.m5SqXL/_new  2026-07-01 21:08:52.989216706 +0200
@@ -9,7 +9,7 @@
   <property file="build.properties"/>
 
   <property name="project.artifactId" value="c3p0"/>
-  <property name="project.version" value="0.12.0"/>
+  <property name="project.version" value="0.14.1"/>
 
   <property name="compiler.release" value="8"/>
   <property name="compiler.source" value="1.${compiler.release}"/>

Reply via email to