{"affected":[{"ecosystem_specific":{"binaries":[{"c3p0":"0.9.5.5-150400.3.5.1","c3p0-javadoc":"0.9.5.5-150400.3.5.1","mchange-commons":"0.2.20-150400.3.3.1","mchange-commons-javadoc":"0.2.20-150400.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"c3p0","purl":"pkg:rpm/opensuse/c3p0&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.9.5.5-150400.3.5.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"c3p0":"0.9.5.5-150400.3.5.1","c3p0-javadoc":"0.9.5.5-150400.3.5.1","mchange-commons":"0.2.20-150400.3.3.1","mchange-commons-javadoc":"0.2.20-150400.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"mchange-commons","purl":"pkg:rpm/opensuse/mchange-commons&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.2.20-150400.3.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for c3p0 and mchange-commons fixes the following issues:\n\nc3p0:\n    \n- Security issues fixed:\n\n  - CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942)\n\n- Fix the null pointer exception in the userOverridesAsString\n  method (bsc#1259313).\n    \nmchange-commons:\n\n- Security issues fixed:\n\n  - CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances (bsc#1258913)\n\n","id":"SUSE-SU-2026:0855-1","modified":"2026-03-10T05:06:36Z","published":"2026-03-10T05:06:36Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20260855-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1258913"},{"type":"REPORT","url":"https://bugzilla.suse.com/1258942"},{"type":"REPORT","url":"https://bugzilla.suse.com/1259313"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-27727"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-27830"}],"related":["CVE-2026-27727","CVE-2026-27830"],"summary":"Security update for c3p0 and mchange-commons","upstream":["CVE-2026-27727","CVE-2026-27830"]}