Nicely done on the speedy release Emmanuel! Gary
On Thu, Apr 30, 2026, 17:53 Emmanuel Lecharny <[email protected]> wrote: > The Apache MINA project is pleased to announce the release of: > - Apache MINA 2.2.7 > - Apache MINA 2.1.12 > > This is a security release that fixes 2 CVE that were supposed to have > been fixed in the previous release, but the code never made it to > those two branches due to a mistake. > > - CVE-2026-42778: Apache MINA: CWE-502 Deserialization of Untrusted > Data (https://www.cve.org/CVERecord?id=CVE-2026-42778) > > > - CVE-CVE-2026-42779: Apache MINA: AbstractIoBuffer.resolveClass() > null-clazz Branch Skips acceptMatchers Filter — Full Object > Deserialization RCE (https://www.cve.org/CVERecord?id=CVE-2026-42779) > > It affects the applications that use the AbstractIoBuffer.getObject() > method to deserialize the Java classes that are sent by a client. > > Those applications should upgrade to the released version. > > Information relative to these releases are available on the following page: > > https://mina.apache.org/mina-project/news > > Downloads are available at > https://mina.apache.org/downloads-mina_2_1.html > https://mina.apache.org/downloads-mina_2_2.html > > The Apache MINA PMC > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.worteks.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
