Hi, this double vote is for a release that fixes some missing back-ported code from 2.2.X branch The back-ported code fixes CVE-2026-47065:
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list . The packages are available at : MINA 2.0.31 =========== https://repository.apache.org/content/repositories/orgapachemina-1148/org/apache/mina/ and https://dist.apache.org/repos/dist/dev/mina/mina/2.0.31/ [ ] +1 Release [ ] ± 0 Abstain [ ] -1 Do Not Release MINA 2.1.15 =========== https://repository.apache.org/content/repositories/orgapachemina-11498/org/apache/mina/ and https://dist.apache.org/repos/dist/dev/mina/mina/2.1.15/ [ ] +1 Release [ ] ± 0 Abstain [ ] -1 Do Not Release Thanks! -- Regards, Cordialement, Emmanuel Lécharny www.worteks.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
