dependabot[bot] opened a new pull request, #23900: URL: https://github.com/apache/camel/pull/23900
Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.14.0 to 0.14.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/swaldman/c3p0/blob/0.14.x/CHANGELOG";>com.mchange:c3p0's changelog</a>.</em></p> <blockquote> <p>c3p0-0.14.1 -- Modify c3p0 to use new BeanInfoGen functionality, restoring compatability with Java [7,11). -- Modify BeanInfoGen to (optionally but by default) cache descriptors rather than regenerating for each call to an introspection method. -- Modify BeanInfoGen to log items skipped from descriptors due to API incompatibility. -- Modify BeanInfoGen to generate BeanInfo classes in which properties/events/methods that existed in the JVM under which they were generated and built, but do not exist under the runtime JVM are tolerate, simply omitted at runtime from BeanInfo descriptors. This fixes compatability with Java environments before Java 11, under whose API c3p0 and mchange-commons-java are currently built. (Thanks to Vlad Skarzhevskyy, <a href="https://github.com/skarzhevskyy";><code>@​skarzhevskyy</code></a> on GitHub, for calling attention to this issue.) c3p0-0.14.0 -- Update to mill 1.1.6 and fix broken support for reproducible builds via the SOURCE_DATE_EPOCH environment variable. -- Generate explicit BeanInfo classes for c3p0-defined concrete DataSource and ConnectionPoolDataSource implementations, which exclude "connection" and/or "pooledConnection" from introspected bean properties, in order to preclude attacks such as those described here: https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/ -- Enforce a deterministic ordering on methods produced by the code generator DelegatorGenerator, in order to keep builds including such generated classes reproducible. (mchange-commons-java and c3p0 subclass) -- Define BeanInfoGen, a code-generation utility that defines explicit BeanInfo classes for what otherwise would have been introspected via JavaBean naming conventions, but that permits properties to be excluded from such introspection. (mchange-commons-java) -- JavaBeanObjectFactory now enforces a whitelist of classes it is willing to construct from References that call upon it. That whitelist is defined by new config parameter com.mchange.v2.naming.referenceableJavaBeanClassWhitelist (mchange-commons-java) -- Define false-biased config security key com.mchange.v2.naming.allowIndirectSerializationViaReference, disabling by default indirect serialization/deserialization of Referenceable but otherwise not serializable objects by serializing their references. This is a clever mechanism, but rarely used, and a place where attackers might smuggle a malicious reference. (mchange-commons-java) c3p0-0.13.0 -- Ensure sessions are marked as endRequest() is called prior to check-in, to eliminate race between DBMS cleanup and checkout by a new client. Thanks Krrish (ota0912 on github). -- Take generic JavaBeanObjectFactory out of the whitelist of object factories, com.mchange.v2.naming.objectFactoryWhitelist, mchange-commons-java ReferenceableUtils is willing to dereference. Only C3P0JavaBeanObjectFactory should be used. -- Modify C3P0JavaBeanObjectFactory to use C3P0JavaBeanReferencePropertyOverrider. -- Modify the JavaBeanReferenceMaker employed by c3p0 beans to use C3P0JavaBeanReferencePropertyOverrider -- Define C3P0JavaBeanReferencePropertyOverrider, supporting the serialization and deserialization of user-defined config key value pairs (the 'extensions' property) -- Add support for extensions, in the form of JavaBeanReferencePropertyOverrider, that allow javax.naming.Referenceable JavaBeans that include non-String, non-coerceable-to-string, non-SecurelyStringifiable properties to use some custom serialization to a Reference. Add support both the JavaBeanReferenceMaker and JavaBeanObjectFactory for supporting such extensions. -- Replace with a CSV format internal use of Java serialization by JavaBeanObjectFactory and JavaBeanReferenceMaker when tracking reference properties. [in mchange-commons-java] -- Eliminate support for decoding BinaryRefAddrs via Java (de)serialization in JavaBeanObjectFactory. The capability still exists, but one must explicitly extend JavaBeanObjectFactory in order to support it. No existing classes in</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/swaldman/c3p0/commit/9084ab6577bb195672b8831d8fdbb9be22f76ebe";><code>9084ab6</code></a> Update versions for mchange-commons-java 0.6.1, c3p0-0.14.1 final.</li> <li><a href="https://github.com/swaldman/c3p0/commit/65797059ec020d4ccf4319fef57e799d1922cf00";><code>6579705</code></a> Add release notes for 0.14.1, update CHANGELOG.</li> <li><a href="https://github.com/swaldman/c3p0/commit/8b58820745c3c77cd964817b80eb3f6a224b359f";><code>8b58820</code></a> Use new functionality in BeanInfoGen, don't suppress caching (ie cache BeanIn...</li> <li><a href="https://github.com/swaldman/c3p0/commit/993b9c2c00e8ac8a8f6df46bcc45ff34d4a32349";><code>993b9c2</code></a> Bump version to 0.14.1-SNAPSHOT, mchange-commons-java version to 0.6.1-SNAPSHOT.</li> <li>See full diff in <a href="https://github.com/swaldman/c3p0/compare/v0.14.0...v0.14.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
