henricook opened a new pull request, #394: URL: https://github.com/apache/commons-email/pull/394
## Summary - Migrate `commons-email2-jakarta` from `com.sun.mail:jakarta.mail:2.0.2` to `org.eclipse.angus:jakarta.mail:2.0.4` - the patched successor of the EOL `com.sun.mail` implementation - Bump `commons-email2-javax` from `com.sun.mail:jakarta.mail:1.6.7` to `1.6.8` Both versions prior to this change are vulnerable to [CVE-2025-7962](https://nvd.nist.gov/vuln/detail/CVE-2025-7962), an SMTP injection flaw allowing attackers to inject arbitrary SMTP commands via `\r\n` characters in UTF-8 encoded input. ## Context The `com.sun.mail:jakarta.mail` implementation has been superseded by [Eclipse Angus](https://eclipse-ee4j.github.io/angus-mail/), which is described as the "direct successor of JavaMail/JakartaMail". The CVE fix was only released under the Angus coordinates (`org.eclipse.angus:jakarta.mail:2.0.4`), while the old `com.sun.mail` 2.x line remains unpatched. For the `commons-email2-javax` module, a backported fix is available at `com.sun.mail:jakarta.mail:1.6.8`. ## References - https://nvd.nist.gov/vuln/detail/CVE-2025-7962 - https://github.com/advisories/GHSA-9342-92gg-6v29 - https://eclipse-ee4j.github.io/angus-mail/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
