Hi Thomas,
I think I understand the mistake I've done: I started the patch on my
Linux laptop, and tested everything on the three branches. Up to the
point I started to push the whole on gitbox, and got some error because
I haven't installed my credentials setup on this laptop, so I switched
to my previous laptop, completed the 2.0.X branch work which was the
last one I worked on, and pushed it (successfully). Then I pushed the
2.1.X en 2.2.X branches after some minor refactoring (and at the same
time I had to fight with the java versions to use for each branch), and
totally forgot that my old laptop hasn't the CVEs path for thse 2
branches :/
I just checked on my new laptop, and they do have the patch, locally...
So I'll port the 2.0.X patch to 2.1.X and 2.2.X branches, cut a new
release asap.
First step, request a new CVE.
Sorry for the mess...
On 28/04/2026 23:34, Thomas Wolf wrote:
Hi,
On 28.04.26 18:55, Joerg Michelberger wrote:
Hello all,
after reading about the 2 CVEs, which are announced as fixed in the 2.2.6
MINA release, I downloaded bin zip and source zip from
https://mina.apache.org/downloads-mina_2_2.html.
Curious to understand the fixes I compared the source zip with the 2.2.4
sources I had in storage.
But there was no difference in AbstractIoBuffer.java, where I expected
changes!
There are changes on the 2.0.x branch, here :
https://github.com/apache/mina/tree/2.0.X
But not on 2.2.x branch here : https://github.com/apache/mina/tree/2.2.X
I did not inspect 2.1.x branch.
Is it possible, that I looked at the wrong places, or my expectations are
not correct?
Or is the fix not applied to at least 2.2.x branch.
Indeed. I only see the commit on the 2.0.x branch, but nothing on the
2.1.x and 2.2.x branches. I see no merges either from 2.0x to the other
branches. Something must have gone completely wrong. Decompiling the
class AbstractIoBuffer and AbstractIoBuffer$3 from the mina-core 2.2.6
JAR from the binary release also shows that the fix is indeed not
included.
Thanks for double checking! So we have to add another item to our
release checklist: if it's a CVE fix, verify that the fix actually is
in the release. Doh!
@Emmanuel: what happened? Looks like we need the fix committed for 2.1.x
and 2.2.x, and then new releases for these branches. Plus a new CVE to
state that the fix for the other two CVEs was ineffective in 2.1.11 and
in 2.2.6.
Cheers,
Thomas
--
------------------------
Emmanuel Lécharny
[email protected]
[email protected]
------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
