Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package c3p0 for openSUSE:Factory checked in at 2026-07-01 21:08:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/c3p0 (Old) and /work/SRC/openSUSE:Factory/.c3p0.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "c3p0" Wed Jul 1 21:08:46 2026 rev:10 rq:1363016 version:0.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/c3p0/c3p0.changes 2026-03-04 21:04:23.158371642 +0100 +++ /work/SRC/openSUSE:Factory/.c3p0.new.11887/c3p0.changes 2026-07-01 21:08:51.905179648 +0200 @@ -1,0 +2,90 @@ +Wed Jul 1 14:16:55 UTC 2026 - Fridrich Strba <[email protected]> + +- Upgrade to upstream version 0.14.1 + * Changes in version 0.14.1 + + Modify c3p0 to use new BeanInfoGen functionality, restoring + compatibility with Java [7,11). + + Modify BeanInfoGen to (optionally, but by default) cache + descriptors rather than regenerating them for each call to an + introspection method. + + Modify BeanInfoGen to log items skipped from descriptors due + to API incompatibility. + + Modify BeanInfoGen to generate BeanInfo classes in which + properties/events/methods that existed in the JVM under which + they were generated and built, but do not exist under the + runtime JVM, are tolerated and simply omitted at runtime from + BeanInfo descriptors. This fixes compatibility with Java + environments before Java 11, under whose API c3p0 and + mchange-commons-java are currently built. + * Changes in 0.14.0 + + Update to mill 1.1.6 and fix broken support for reproducible + builds via the SOURCE_DATE_EPOCH environment variable. + + Generate explicit BeanInfo classes for c3p0-defined concrete + DataSource and ConnectionPoolDataSource implementations, which + exclude "connection" and/or "pooledConnection" from + introspected bean properties, in order to preclude attacks. + (bsc#1269941, CVE-2026-55223) + + Enforce a deterministic ordering on methods produced by the + code generator DelegatorGenerator, in order to keep builds + including such generated classes reproducible. + + Define BeanInfoGen, a code-generation utility that defines + explicit BeanInfo classes for what otherwise would have been + introspected via JavaBean naming conventions, but permits + properties to be excluded from such introspection. + + JavaBeanObjectFactory now enforces an allowlist of classes it + is willing to construct from References that call upon it. + That allowlist is defined by the new config parameter + com.mchange.v2.naming.referenceableJavaBeanClassWhitelist + + Define the false-biased config security key + com.mchange.v2.naming.allowIndirectSerializationViaReference, + disabling by default indirect serialization/deserialization of + Referenceable but otherwise non-serializable objects by + serializing their references. This is a clever mechanism, but + it is rarely used and provides a place where attackers might + smuggle a malicious reference. + * Changes in 0.13.0 + + Ensure sessions are marked as endRequest() is called prior to + check-in, to eliminate a race condition between DBMS cleanup + and checkout by a new client. + + Remove the generic JavaBeanObjectFactory from the allowlist of + object factories, com.mchange.v2.naming.objectFactoryWhitelist, + that mchange-commons-java ReferenceableUtils is willing to + dereference. Only C3P0JavaBeanObjectFactory should be used. + + Modify C3P0JavaBeanObjectFactory to use + C3P0JavaBeanReferencePropertyOverrider. + + Modify the JavaBeanReferenceMaker employed by c3p0 beans to use + C3P0JavaBeanReferencePropertyOverrider. + + Define C3P0JavaBeanReferencePropertyOverrider, supporting the + serialization and deserialization of user-defined config + key-value pairs (the 'extensions' property). + + Add support for extensions, in the form of + JavaBeanReferencePropertyOverrider, that allow + javax.naming.Referenceable JavaBeans that include non-String, + non-coercible-to-string, non-SecurelyStringifiable properties + to use custom serialization to a Reference. Add support for + such extensions to both the JavaBeanReferenceMaker and + JavaBeanObjectFactory. + + Replace the internal use of Java serialization by + JavaBeanObjectFactory and JavaBeanReferenceMaker with a CSV + format when tracking reference properties. + + Eliminate support for decoding BinaryRefAddrs via Java + (de)serialization in JavaBeanObjectFactory. The capability + still exists, but one must explicitly extend + JavaBeanObjectFactory in order to support it. No existing + classes in c3p0 or mchange-commons-java now use Java + serialization to unpickle objects from References. + + Add support for SecurelySerializable to c3p0's code-generated + bean superclasses, as well as to the concrete derived beans. + + Define CsvSecurelyStringifiableBeangenGeneratorExtension to + enable code-generated Java beans that support the new + SecurelyStringifiable alternative serialization. + + When generating references with JavaBeanReferenceMaker, gate + the use of Java serialization to define properties behind a + new false-biased configuration parameter, + com.mchange.v2.naming.generateSerializedObjectBinaryRefAddr. + (This should almost never be reset to true.) + + Define a SecurelyStringifiable mechanism in com.mchange.v2 + .naming, intended to replace the use of dangerous Java + serialization in the construction of references. + +------------------------------------------------------------------- Old: ---- c3p0-0.12.0-sources.jar c3p0-0.12.0.pom New: ---- c3p0-0.14.1-sources.jar c3p0-0.14.1.pom ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ c3p0.spec ++++++ --- /var/tmp/diff_new_pack.m5SqXL/_old 2026-07-01 21:08:52.717207408 +0200 +++ /var/tmp/diff_new_pack.m5SqXL/_new 2026-07-01 21:08:52.717207408 +0200 @@ -18,7 +18,7 @@ Name: c3p0 -Version: 0.12.0 +Version: 0.14.1 Release: 0 Summary: JDBC DataSources/Resource Pools License: LGPL-2.0-or-later @@ -31,7 +31,7 @@ BuildRequires: fdupes BuildRequires: java-devel >= 11 BuildRequires: javapackages-local >= 6 -BuildRequires: mchange-commons >= 0.4.0 +BuildRequires: mchange-commons >= 0.6.0 BuildRequires: unzip BuildArch: noarch ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.m5SqXL/_old 2026-07-01 21:08:52.757208775 +0200 +++ /var/tmp/diff_new_pack.m5SqXL/_new 2026-07-01 21:08:52.761208912 +0200 @@ -1,6 +1,6 @@ -mtime: 1772601473 -commit: 4a46c7164fec6b02e96a35a00d859e74035d7343d65e8830434140447e45b789 -url: https://src.opensuse.org/java-packages/c3p0.git -revision: 4a46c7164fec6b02e96a35a00d859e74035d7343d65e8830434140447e45b789 +mtime: 1782917269 +commit: baad8ef88d9239e44bc3c43645a3579a5a03840bf54ddfae3094004a57dedccb +url: https://src.opensuse.org/java-packages/c3p0 +revision: baad8ef88d9239e44bc3c43645a3579a5a03840bf54ddfae3094004a57dedccb projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-07-01 16:47:49.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ c3p0-0.12.0.pom -> c3p0-0.14.1.pom ++++++ --- /work/SRC/openSUSE:Factory/c3p0/c3p0-0.12.0.pom 2026-03-04 21:04:23.130370485 +0100 +++ /work/SRC/openSUSE:Factory/.c3p0.new.11887/c3p0-0.14.1.pom 2026-07-01 21:08:51.705172810 +0200 @@ -7,16 +7,16 @@ <artifactId>c3p0</artifactId> <packaging>jar</packaging> <description>A mature JDBC3+ Connection pooling library</description> - <version>0.12.0</version> + <version>0.14.1</version> <url>https://www.mchange.com/projects/c3p0</url> <licenses> <license> - <name>LGPL-2.1-or-later</name> + <name>GNU Lesser General Public License v2.1 or later</name> <url>https://spdx.org/licenses/LGPL-2.1-or-later.html</url> <distribution>repo</distribution> </license> <license> - <name>EPL-1.0</name> + <name>Eclipse Public License 1.0</name> <url>https://spdx.org/licenses/EPL-1.0.html</url> <distribution>repo</distribution> </license> @@ -31,13 +31,14 @@ <id>swaldman</id> <name>Steve Waldman</name> <url>https://github.com/swaldman</url> + <email></email> </developer> </developers> <dependencies> <dependency> <groupId>com.mchange</groupId> <artifactId>mchange-commons-java</artifactId> - <version>0.4.0</version> + <version>0.6.1</version> </dependency> </dependencies> </project> ++++++ c3p0-build.xml ++++++ --- /var/tmp/diff_new_pack.m5SqXL/_old 2026-07-01 21:08:52.985216570 +0200 +++ /var/tmp/diff_new_pack.m5SqXL/_new 2026-07-01 21:08:52.989216706 +0200 @@ -9,7 +9,7 @@ <property file="build.properties"/> <property name="project.artifactId" value="c3p0"/> - <property name="project.version" value="0.12.0"/> + <property name="project.version" value="0.14.1"/> <property name="compiler.release" value="8"/> <property name="compiler.source" value="1.${compiler.release}"/>
