Thank you for the fix. The fix is in. Thank you all for caring and maintaining.
Best regards from happy MINA user Joerg Gary Gregory <[email protected]> schrieb am Mi., 29. Apr. 2026, 16:32: > On Wed, Apr 29, 2026, 10:08 Emmanuel Lécharny <[email protected]> wrote: > > > Yes, absolutely. > > > > I tripled checked, to be sure :/ > > > > Thumbs up then. > > Gary > > > > On 29/04/2026 15:38, Gary Gregory wrote: > > > Just double checking: that means a new release of 2.1.x and 2.2.x, but > > NOT > > > 2.0.x? > > > > > > Thank you! > > > Gary > > > > > > > > > On Wed, Apr 29, 2026, 09:27 Emmanuel Lécharny <[email protected]> > > wrote: > > > > > >> Hi Thomas, > > >> > > >> I think I understand the mistake I've done: I started the patch on my > > >> Linux laptop, and tested everything on the three branches. Up to the > > >> point I started to push the whole on gitbox, and got some error > because > > >> I haven't installed my credentials setup on this laptop, so I switched > > >> to my previous laptop, completed the 2.0.X branch work which was the > > >> last one I worked on, and pushed it (successfully). Then I pushed the > > >> 2.1.X en 2.2.X branches after some minor refactoring (and at the same > > >> time I had to fight with the java versions to use for each branch), > and > > >> totally forgot that my old laptop hasn't the CVEs path for thse 2 > > >> branches :/ > > >> > > >> I just checked on my new laptop, and they do have the patch, > locally... > > >> > > >> So I'll port the 2.0.X patch to 2.1.X and 2.2.X branches, cut a new > > >> release asap. > > >> > > >> First step, request a new CVE. > > >> > > >> Sorry for the mess... > > >> > > >> On 28/04/2026 23:34, Thomas Wolf wrote: > > >>> Hi, > > >>> > > >>> On 28.04.26 18:55, Joerg Michelberger wrote: > > >>>> Hello all, > > >>>> > > >>>> after reading about the 2 CVEs, which are announced as fixed in the > > >> 2.2.6 > > >>>> MINA release, I downloaded bin zip and source zip from > > >>>> https://mina.apache.org/downloads-mina_2_2.html. > > >>>> Curious to understand the fixes I compared the source zip with the > > 2.2.4 > > >>>> sources I had in storage. > > >>>> > > >>>> But there was no difference in AbstractIoBuffer.java, where I > expected > > >>>> changes! > > >>>> > > >>>> There are changes on the 2.0.x branch, here : > > >>>> https://github.com/apache/mina/tree/2.0.X > > >>>> But not on 2.2.x branch here : > > >> https://github.com/apache/mina/tree/2.2.X > > >>>> I did not inspect 2.1.x branch. > > >>>> > > >>>> Is it possible, that I looked at the wrong places, or my > expectations > > >> are > > >>>> not correct? > > >>>> Or is the fix not applied to at least 2.2.x branch. > > >>> > > >>> Indeed. I only see the commit on the 2.0.x branch, but nothing on the > > >>> 2.1.x and 2.2.x branches. I see no merges either from 2.0x to the > other > > >>> branches. Something must have gone completely wrong. Decompiling the > > >>> class AbstractIoBuffer and AbstractIoBuffer$3 from the mina-core > 2.2.6 > > >>> JAR from the binary release also shows that the fix is indeed not > > >>> included. > > >>> > > >>> Thanks for double checking! So we have to add another item to our > > >>> release checklist: if it's a CVE fix, verify that the fix actually is > > >>> in the release. Doh! > > >>> > > >>> @Emmanuel: what happened? Looks like we need the fix committed for > > 2.1.x > > >>> and 2.2.x, and then new releases for these branches. Plus a new CVE > to > > >>> state that the fix for the other two CVEs was ineffective in 2.1.11 > and > > >>> in 2.2.6. > > >>> > > >>> Cheers, > > >>> > > >>> Thomas > > >>> > > >> > > >> -- > > >> ------------------------ > > >> Emmanuel Lécharny > > >> [email protected] > > >> [email protected] > > >> ------------------------ > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [email protected] > > >> For additional commands, e-mail: [email protected] > > >> > > >> > > > > > > > -- > > ------------------------ > > Emmanuel Lécharny > > [email protected] > > [email protected] > > ------------------------ > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
