Control: tags -1 confirmed moreinfo Hi,
On Wed, Jul 16, 2025 at 12:02:07AM +0200, Pierre Gruet wrote: > This is a request for upload to unstable + unblock for the key package mina2, > which has NOT yet been uploaded to unstable. > > [ Reason ] > mina2 is affected by grave bug #1091530 about CVE-2024-52046. I have prepared > an upload that fixes it by following the security tracker > https://security-tracker.debian.org/tracker/CVE-2024-52046 > > As > https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 > explains, the CVE is fixed by applying commit cdb59eb, visible at > > https://github.com/apache/mina/commit/cdb59eb6131696a440870ab89ad0e20804eb5ca7#diff-cb3019e35ae0f7cccf4b546a473fbb784e94624dc736a754e3ad01633ceaf32dR401-R402 > and by reworking calls to ObjectSerializationDecoder in the rdeps of mina2. I > checked that no Debian package calls this class. > > My only change to the package is applying the above-cited commit. I haven't tried to understand the details of this change. I assume that you checked that all the changes in the patch are necessary for to fix the security issue. If that's the case: Please go ahead with the upload and remove the moreinfo tag from this unblock request once the new upload has been in unstable for a few days, and you think it's ready to migrate. Thanks, Ivo
