dependabot[bot] opened a new pull request, #1600: URL: https://github.com/apache/tika/pull/1600
Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.9.5.5 to 0.10.0-pre1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/swaldman/c3p0/blob/v0.10.0-pre1/CHANGELOG";>com.mchange:c3p0's changelog</a>.</em></p> <blockquote> <p>c3p0-0.10.0-pre1 -- Fix doc comments no longer acceptable under persnicketty JDK 11 -- Build with JDK 11 JVM (still emitting JDK 1.6 compatible sources) -- Get tests working under new mill build -- Reorganize to switch build from ant to mill -- Update to mchange-commons-java 0.2.20 c3p0-0.9.5.5 -- Update docs to describe new com.mchange.v2.log.MLog.useRedirectableLoggers setting, implemented in mchange-commons-java 0.2.19 -- Update to mchange-commons-java 0.2.19 -- Properly implement the JDBC 4.1 abort method. Thanks to Andrew Johnson for calling attention to this issue. c3p0-0.9.5.4 -- Disabling entity expansions, as we did in v.0.9.5.3 turns out not to be sufficient to prevent all XML-config parsing related attacks (if an attacker can control the XML config file that will be parsed). We now make XML parsing much more restrictove by default, but allow users to revert to the old, permissive pre-0.9.5.3 behavior by setting config property 'com.mchange.v2.c3p0.cfg.xml.usePermissiveParser' to true. That property replaces and leaves deprecated the 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences' property introduced on 0.9.5.3. Many thanks to Aaron Massey (amassey) at HackerOne for calling attention to the continued vulnerability of XML parsing to these kinds of attacks. -- Address situation where a throwable during forceKillAcquires() left the force_kill_acquires flag set to true, making it impossible for the pool to restart acquisition attempts on recovery. We now unset the flag under any circumstance, but log interrupts or unexpected throwables, and make a best effort to complete the intended expiration of waiting clients by throwing InterruptException Many thanks to Stefan Cordes (rscadrde on github), Vipin Nair (swvist on github), and Łukasz Jąder (ljader on github) for their work on this issue. c3p0-0.9.5.3 -- Address CVE-2018-20433, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-20433";>https://nvd.nist.gov/vuln/detail/CVE-2018-20433</a> re liberal parsing of XML config. By default, c3p0 no longer expands entity references in XML config files. This behavior can be overridden via config property 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences' by applications that understand the security concerns but wish to make use of entity references. Thanks to user zhutougg on GitHub for calling attention to and suggesting a fix for this issue. -- Upgrade dependency to mchange-commons-java 0.2.15, which includes support for log4j2 (implemented in mchange-commons-java by GitHub user fireandfuel. Many thanks!</p> <p>c3p0-0.9.5.2 -- Fix a bug in MLog bridge to slf4j logging, in which loggability of levels of wrapped loggers was misreported, leading to useless allocation of log Strings below the logging threshold. Grr. [change is in mchange-commons-java 0.2.11]. Many thanks to Lewis Wong on Stack Exchange for calling attention to this issue. -- Embed last acquistion failure as nested Exception in CannotAcquireResourceException. Thanks to nigam on github for this addition. c3p0-0.9.5.1 -- Implemented configuration property com.mchange.v2.c3p0.impl.DefaultConnectionTester.isValidTimeout to define timeouts on tests based on Connection.isValid(...). Many thanks to james-hu on github for suggesting this. -- Added a forceSynchronousCheckins config param, which can be a significant performance boost if no tests are performed on checkin and no long work is performed in ConnectionCustomizer.onCheckIn(...). The parameter is particularly useful for installations in which the Thread pool is under stress, as it permits prompt checkins without use of the Thread pool, and helps reduce Thread pool congestion.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/swaldman/c3p0/commit/df2b44d286d1c33e726a250caa5c164ce9f226e9";><code>df2b44d</code></a> Update version number for 0.10.0-pre1 final.</li> <li><a href="https://github.com/swaldman/c3p0/commit/c52a8d91d7f8e50228ea6d57ea29c7122d0d6468";><code>c52a8d9</code></a> Tweak README.md</li> <li><a href="https://github.com/swaldman/c3p0/commit/55e6f53b794c466dfb4f9b8daf611fab95127a1c";><code>55e6f53</code></a> Tweak README.md</li> <li><a href="https://github.com/swaldman/c3p0/commit/5f49269c0703747029f4773189ddeb47e440baa5";><code>5f49269</code></a> More work on README.md and CHANGELOG.</li> <li><a href="https://github.com/swaldman/c3p0/commit/21eea099d2ec2cc9fbae8fbb272b50089d213085";><code>21eea09</code></a> Work on README.md; get docJar working under Java 11 persnicketty tooling.</li> <li><a href="https://github.com/swaldman/c3p0/commit/b24af8da5367067956002577a94c3596c0d8ccd7";><code>b24af8d</code></a> Compile Java 6 compatible classfiles (against newer API!)</li> <li><a href="https://github.com/swaldman/c3p0/commit/bf886752d68ea2834715a5a9eae4378816a56fc7";><code>bf88675</code></a> Get all tests working.</li> <li><a href="https://github.com/swaldman/c3p0/commit/d792689ef3664d7abe81dab6c5e083c08e4c865e";><code>d792689</code></a> Add more tests and hints on variations of tests.</li> <li><a href="https://github.com/swaldman/c3p0/commit/f6b1ce95d1d0c279542bc0e0aa93f7ab18e1b5d4";><code>f6b1ce9</code></a> Get C3P0BenchmarkApp running, add careful conditional logic to minimize unnec...</li> <li><a href="https://github.com/swaldman/c3p0/commit/0d37f26159796fc5b3307213ecd3b98c9cac4bb4";><code>0d37f26</code></a> Add minimal .gitignore</li> <li>Additional commits viewable in <a href="https://github.com/swaldman/c3p0/compare/c3p0-0.9.5.5...v0.10.0-pre1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
