Just double checking: that means a new release of 2.1.x and 2.2.x, but NOT 2.0.x?
Thank you! Gary On Wed, Apr 29, 2026, 09:27 Emmanuel Lécharny <[email protected]> wrote: > Hi Thomas, > > I think I understand the mistake I've done: I started the patch on my > Linux laptop, and tested everything on the three branches. Up to the > point I started to push the whole on gitbox, and got some error because > I haven't installed my credentials setup on this laptop, so I switched > to my previous laptop, completed the 2.0.X branch work which was the > last one I worked on, and pushed it (successfully). Then I pushed the > 2.1.X en 2.2.X branches after some minor refactoring (and at the same > time I had to fight with the java versions to use for each branch), and > totally forgot that my old laptop hasn't the CVEs path for thse 2 > branches :/ > > I just checked on my new laptop, and they do have the patch, locally... > > So I'll port the 2.0.X patch to 2.1.X and 2.2.X branches, cut a new > release asap. > > First step, request a new CVE. > > Sorry for the mess... > > On 28/04/2026 23:34, Thomas Wolf wrote: > > Hi, > > > > On 28.04.26 18:55, Joerg Michelberger wrote: > >> Hello all, > >> > >> after reading about the 2 CVEs, which are announced as fixed in the > 2.2.6 > >> MINA release, I downloaded bin zip and source zip from > >> https://mina.apache.org/downloads-mina_2_2.html. > >> Curious to understand the fixes I compared the source zip with the 2.2.4 > >> sources I had in storage. > >> > >> But there was no difference in AbstractIoBuffer.java, where I expected > >> changes! > >> > >> There are changes on the 2.0.x branch, here : > >> https://github.com/apache/mina/tree/2.0.X > >> But not on 2.2.x branch here : > https://github.com/apache/mina/tree/2.2.X > >> I did not inspect 2.1.x branch. > >> > >> Is it possible, that I looked at the wrong places, or my expectations > are > >> not correct? > >> Or is the fix not applied to at least 2.2.x branch. > > > > Indeed. I only see the commit on the 2.0.x branch, but nothing on the > > 2.1.x and 2.2.x branches. I see no merges either from 2.0x to the other > > branches. Something must have gone completely wrong. Decompiling the > > class AbstractIoBuffer and AbstractIoBuffer$3 from the mina-core 2.2.6 > > JAR from the binary release also shows that the fix is indeed not > > included. > > > > Thanks for double checking! So we have to add another item to our > > release checklist: if it's a CVE fix, verify that the fix actually is > > in the release. Doh! > > > > @Emmanuel: what happened? Looks like we need the fix committed for 2.1.x > > and 2.2.x, and then new releases for these branches. Plus a new CVE to > > state that the fix for the other two CVEs was ineffective in 2.1.11 and > > in 2.2.6. > > > > Cheers, > > > > Thomas > > > > -- > ------------------------ > Emmanuel Lécharny > [email protected] > [email protected] > ------------------------ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
