[
https://issues.apache.org/jira/browse/DIRAPI-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18079546#comment-18079546
]
Mauro Molinari commented on DIRAPI-423:
---------------------------------------
Hi [~elecharny], sorry for bothering you again.
Recently, the number of vulnerabilities in Apache MINA has grown a lot. Besides
CVE-2024-52046, the following additional CVEs where reported on the MINA
version that the LDAP Directory API 2.1.7 is using:
* CVE-2026-41409
* CVE-2026-41635
* CVE-2026-42778
* CVE-2026-42779
Some of them, may still be related to the same root, so from your early
statements we are probably safe (we don't use MINA for anything else). But I'm
not sure if this stands for _all_ of the above CVEs. Can you say anything on it?
I see the LDAP Directory API 2.1.8 version is not yet ready and, unless things
have changed meanwhile, I remember it's not possible to just upgrade MINA to
get rid of the above vulnerabilities, due to incompatible changes. Do you have
any updated information on this?
> Update Apache MINA Core from 2.2.3 to 2.2.4
> -------------------------------------------
>
> Key: DIRAPI-423
> URL: https://issues.apache.org/jira/browse/DIRAPI-423
> Project: Directory Client API
> Issue Type: Dependency upgrade
> Affects Versions: 2.1.7
> Reporter: Mark Hoare
> Priority: Minor
> Fix For: 2.1.8
>
>
> Please consider bumping MINA Core dependency to 2.2.4 to address
> CVE-2024-52046.
> 2.2.4 was released in Dec 2024
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
