Update release notes and CHANGELOG.

swaldman · swaldman · commit 9638cb5160aa · 2019-01-26T23:49:47.000-08:00
diff --git a/src/dist-static/CHANGELOG b/src/dist-static/CHANGELOG
@@ -1,3 +1,12 @@
+c3p0-0.9.5.3
+	-- Address CVE-2018-20433, https://nvd.nist.gov/vuln/detail/CVE-2018-20433 re liberal parsing of
+	   XML config. By default, c3p0 no longer expands entity references in XML config files. This
+	   behavior can be overridden via config property 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences'
+	   by applications that understand the security concerns but wish to make use of entity references.
+	   Thanks to user zhutougg on GitHub for calling attention to and suggesting a fix for this issue.
+	-- Upgrade dependency to mchange-commons-java 0.2.15, which includes support for log4j2 (implemented
+	   in mchange-commons-java by GitHub user fireandfuel. Many thanks!
+
 c3p0-0.9.5.2
 	-- Fix a bug in MLog bridge to slf4j logging, in which loggability of levels of wrapped loggers
 	   was misreported, leading to useless allocation of log Strings below the logging threshold. Grr.
diff --git a/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.2 b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.2
@@ -0,0 +1,7 @@
+RELEASE NOTES, c3p0-0.9.5.2
+===========================
+
++ This minor bugfix release fixed a bug that caused useless allocation of below-logging-threshold
+  Strings, and added better debugging information on failed attempts to acquire database Connections.
+
+
diff --git a/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.3 b/src/dist-static/RELEASE_NOTES-c3p0-0.9.5.3
@@ -0,0 +1,25 @@
+RELEASE NOTES, c3p0-0.9.5.3
+===========================
+
++ This minor bugfix release addresses a security issue:
+
+    CVE-2018-20433, https://nvd.nist.gov/vuln/detail/CVE-2018-20433
+    
+  The c3p0 parsed XML config files liberally, including resolving external
+  entity references. Incautious use of this feature could permit injection
+  of malicious config. Now c3p0 does not resolve external entity references
+  in its the XML config file.
+
+  HOWEVER, in the EXCEEDINGLY RARE CASE that your configuration depends on
+  the old behavior, if you have UNDERSTOOD the security concern, you may
+  restore external entity resolution with the following config parameter
+  (in c3p0.properties, as HOCON config, or as a System property):
+
+     com.mchange.v2.c3p0.cfg.xml.expandEntityReferences=true
+
+  Thanks to user zhutougg on GitHub for calling attention to and suggesting
+  a fix for this issue.
+
++ c3p0 now supports logging to log4j2. (Logging to the old, original log4j
+  library remains supported as well.) Thanks to user fireandfuel on GitHub
+  for implementing this feature! (In the mchange-commons-java library.)
