debian/changelog

-c3p0 (0.9.1.2-10) UNRELEASED; urgency=medium
+c3p0 (0.9.1.2-10) unstable; urgency=medium
 
   * Team upload.
-  * Moved the package to Git
-  * Bump Standards-Version to 3.9.6 (no changes)
 
- -- tony mancill <tmancill@debian.org>  Wed, 25 Nov 2015 22:10:31 -0800
+  [ tony mancill ]
+  * Moved the package to Git.
+
+  [ Markus Koschany ]
+  * Switch to compat level 10.
+  * Use https for Format field.
+  * Declare compliance with Debian Policy 4.3.0.
+  * Use canonical VCS URI.
+  * Rename README.Debian-source to README.source
+  * Fix CVE-2018-20433.
+    Thanks to Salvatore Bonaccorso for the report. (Closes: #917257)
+  * Install the documentation into canonical directory.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 25 Dec 2018 15:16:25 +0100
 
 c3p0 (0.9.1.2-9) unstable; urgency=medium
 

debian/compat

-9
+10

debian/control

@@ -3,11 +3,11 @@ Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 Uploaders: Varun Hiremath <varun@debian.org>, Emmanuel Bourg <ebourg@apache.org>
-Build-Depends: debhelper (>= 9), cdbs, maven-repo-helper, default-jdk
+Build-Depends: debhelper (>= 10), cdbs, maven-repo-helper, default-jdk
 Build-Depends-Indep: ant, liblog4j1.2-java, ant-optional, junit, libhsqldb-java
-Standards-Version: 3.9.6
-Vcs-Git: git://anonscm.debian.org/pkg-java/c3p0.git
-Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/c3p0.git
+Standards-Version: 4.3.0
+Vcs-Git: https://salsa.debian.org/java-team/c3p0.git
+Vcs-Browser: https://salsa.debian.org/java-team/c3p0
 Homepage: http://sourceforge.net/projects/c3p0
 
 Package: libc3p0-java

debian/copyright

-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: c3p0
 Upstream-Contact: Steve Waldman <swaldman@users.sourceforge.net>
 Source: https://sourceforge.net/projects/c3p0

debian/libc3p0-java-doc.doc-base

@@ -6,5 +6,5 @@ Abstract: This is the programmer API of c3p0, a library for JDBC
 Section: Programming
 
 Format: HTML
-Index: /usr/share/doc/libc3p0-java-doc/api/index.html
-Files: /usr/share/doc/libc3p0-java-doc/api/*.html
+Index: /usr/share/doc/libc3p0-java/api/index.html
+Files: /usr/share/doc/libc3p0-java/api/*.html

debian/libc3p0-java-doc.docs

-build/api

debian/libc3p0-java-doc.install

+build/api usr/share/doc/libc3p0-java/

debian/patches/CVE-2018-20433.patch

+From: Markus Koschany <apo@debian.org>
+Date: Tue, 25 Dec 2018 15:14:04 +0100
+Subject: CVE-2018-20433
+
+Bug-Debian: https://bugs.debian.org/917257
+Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+---
+ src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+index 3878e89..4a75bd8 100644
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
++	fact.setExpandEntityReferences(false);
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 

debian/patches/series

 build.patch
 testing.patch
 java-7-compat.patch
+CVE-2018-20433.patch