Hi, just to mention that there was a typo in the tittle.
We released 2.1.12 and not 2.0.12. Thanks! On 30/04/2026 23:52, Emmanuel Lecharny wrote:
The Apache MINA project is pleased to announce the release of: - Apache MINA 2.2.7 - Apache MINA 2.1.12 This is a security release that fixes 2 CVE that were supposed to have been fixed in the previous release, but the code never made it to those two branches due to a mistake. - CVE-2026-42778: Apache MINA: CWE-502 Deserialization of Untrusted Data (https://www.cve.org/CVERecord?id=CVE-2026-42778) - CVE-CVE-2026-42779: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (https://www.cve.org/CVERecord?id=CVE-2026-42779) It affects the applications that use the AbstractIoBuffer.getObject() method to deserialize the Java classes that are sent by a client. Those applications should upgrade to the released version. Information relative to these releases are available on the following page: https://mina.apache.org/mina-project/news Downloads are available at https://mina.apache.org/downloads-mina_2_1.html https://mina.apache.org/downloads-mina_2_2.html The Apache MINA PMC -- Regards, Cordialement, Emmanuel Lécharny www.worteks.com
-- ------------------------ Emmanuel Lécharny [email protected] [email protected] ------------------------ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
