Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3890556547 @henricook PR merged, thank you 👍 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory merged PR #394: URL: https://github.com/apache/commons-email/pull/394 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3889191027 Done, thanks @garydgregory -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3887983639 @henricook Please rebase on git master and I'll kick off another build. TY! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3887908110 Hm, the code in master should probably be redone using NIO instead of IO... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on code in PR #394: URL: https://github.com/apache/commons-email/pull/394#discussion_r2794103808 ## commons-email2-jakarta/pom.xml: ## @@ -36,10 +36,10 @@ commons-email2-core 2.0.0-M2-SNAPSHOT - - com.sun.mail - jakarta.mail - 2.0.2 + + org.eclipse.angus + jakarta.mail + 2.0.4 Review Comment: Pushed now @garydgregory -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on PR #394:
URL: https://github.com/apache/commons-email/pull/394#issuecomment-3885367787
> The tests that fail in Java 25 and 26 have code like the following:
>
> ```java
> // test bad file
> attachment.setPath("");
> ```
>
> Maybe an empty Path is now allowed?
I think that File("") has different semantics in Java 25. Rather than being
`false` it is the primary working directory. Here's an example. Which means
this test is probably failing on main? Is there a scheduled run of tests on
main or similar I could check? Or I could open a new PR with no changes.
```
echo 'System.out.println("Java " + System.getProperty("java.version") + ":
new File(\"\").exists() = " + new java.io.File("").exists());' | docker run
--rm -i eclipse-temurin:21-jdk jshell -s -
echo 'System.out.println("Java " + System.getProperty("java.version") + ":
new File(\"\").exists() = " + new java.io.File("").exists());' | docker run
--rm -i eclipse-temurin:25-jdk jshell -s -
```
gives:
```
~ ❯ echo 'System.out.println("Java " + System.getProperty("java.version") +
": new File(\"\").exists() = " + new java.io.File("").exists());' | docker run
--rm -i eclipse-temurin:21-jdk jshell -s -
Feb 11, 2026 3:58:08 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Java 21.0.10: new File("").exists() = false
~ ❯ echo 'System.out.println("Java " + System.getProperty("java.version") +
": new File(\"\").exists() = " + new java.io.File("").exists());' | docker run
--rm -i eclipse-temurin:25-jdk jshell -s -
Feb 11, 2026 3:58:24 PM java.util.prefs.FileSystemPreferences setupUserRoot
INFO: Created user preferences directory.
Java 25.0.2: new File("").exists() = true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on code in PR #394: URL: https://github.com/apache/commons-email/pull/394#discussion_r2793931661 ## commons-email2-jakarta/pom.xml: ## @@ -36,10 +36,10 @@ commons-email2-core 2.0.0-M2-SNAPSHOT - - com.sun.mail - jakarta.mail - 2.0.2 + + org.eclipse.angus + jakarta.mail + 2.0.4 Review Comment: Because I must be blind 😢 - on the way -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
sebbASF commented on PR #394:
URL: https://github.com/apache/commons-email/pull/394#issuecomment-3885128319
The tests that fail in Java 25 and 26 have code like the following:
# test bad file
attachment.setPath("");
Maybe an empty Path is now allowed?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on code in PR #394: URL: https://github.com/apache/commons-email/pull/394#discussion_r2793863071 ## commons-email2-jakarta/pom.xml: ## @@ -36,10 +36,10 @@ commons-email2-core 2.0.0-M2-SNAPSHOT - - com.sun.mail - jakarta.mail - 2.0.2 + + org.eclipse.angus + jakarta.mail + 2.0.4 Review Comment: Why not use the current version `2.0.5`? See https://central.sonatype.com/artifact/org.eclipse.angus/jakarta.mail/versions -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3885064062 Hello @henricook Odd, the build here fails on Java >= 25 due to test failures: ``` Error: Failures: Error:MultiPartEmailTest.testAttachFile:138 Expected org.apache.commons.mail2.core.EmailException to be thrown, but nothing was thrown. Error:MultiPartEmailTest.testAttachPath:181 Expected org.apache.commons.mail2.core.EmailException to be thrown, but nothing was thrown. [INFO] Error: Tests run: 200, Failures: 2, Errors: 0, Skipped: 3 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3884984904 > > Hello @henricook > > For 1.x, keep in mind that we can't break binary compatibility. > > Thanks Gary, would I raise a PR to the 1.x branch to propose a patch to it if binary compatibility was ok? I'd like to see a PR before I make any promises 😉 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3884557697 I'm reasonably confident that 1.6.7 -> 1.6.8 doesn't include any binary compatibility breaking changes. The internals of SMTPTransport.java were changed, and the only other non test changes were: - Internal: Fix to NTLM auth - Internal: Logging improvements - Version bumps in POMs -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3884466580 > Hello @henricook > > For 1.x, keep in mind that we can't break binary compatibility. Thanks Gary, would I raise a PR to the 1.x branch to propose a patch to it if binary compatibility was ok? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
garydgregory commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3884451883 Hello @henricook For 1.x, keep in mind that we can't break binary compatibility. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail [commons-email]
henricook commented on PR #394: URL: https://github.com/apache/commons-email/pull/394#issuecomment-3884407502 It'd be amazing if anyone had information to help me figure out how to backport this to the 1.6.x series - and maybe get it released as a patch? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
