Hello all, after reading about the 2 CVEs, which are announced as fixed in the 2.2.6 MINA release, I downloaded bin zip and source zip from https://mina.apache.org/downloads-mina_2_2.html. Curious to understand the fixes I compared the source zip with the 2.2.4 sources I had in storage.
But there was no difference in AbstractIoBuffer.java, where I expected changes! There are changes on the 2.0.x branch, here : https://github.com/apache/mina/tree/2.0.X But not on 2.2.x branch here : https://github.com/apache/mina/tree/2.2.X I did not inspect 2.1.x branch. Is it possible, that I looked at the wrong places, or my expectations are not correct? Or is the fix not applied to at least 2.2.x branch. Regards Jörg
