Hi,
On 28.04.26 18:55, Joerg Michelberger wrote:
Hello all,
after reading about the 2 CVEs, which are announced as fixed in the 2.2.6
MINA release, I downloaded bin zip and source zip from
https://mina.apache.org/downloads-mina_2_2.html.
Curious to understand the fixes I compared the source zip with the 2.2.4
sources I had in storage.
But there was no difference in AbstractIoBuffer.java, where I expected
changes!
There are changes on the 2.0.x branch, here :
https://github.com/apache/mina/tree/2.0.X
But not on 2.2.x branch here : https://github.com/apache/mina/tree/2.2.X
I did not inspect 2.1.x branch.
Is it possible, that I looked at the wrong places, or my expectations are
not correct?
Or is the fix not applied to at least 2.2.x branch.
Indeed. I only see the commit on the 2.0.x branch, but nothing on the
2.1.x and 2.2.x branches. I see no merges either from 2.0x to the other
branches. Something must have gone completely wrong. Decompiling the
class AbstractIoBuffer and AbstractIoBuffer$3 from the mina-core 2.2.6
JAR from the binary release also shows that the fix is indeed not
included.
Thanks for double checking! So we have to add another item to our
release checklist: if it's a CVE fix, verify that the fix actually is
in the release. Doh!
@Emmanuel: what happened? Looks like we need the fix committed for 2.1.x
and 2.2.x, and then new releases for these branches. Plus a new CVE to
state that the fix for the other two CVEs was ineffective in 2.1.11 and
in 2.2.6.
Cheers,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
