henricook opened a new pull request, #395: URL: https://github.com/apache/commons-email/pull/395
## Summary - Bump `com.sun.mail:jakarta.mail` from 1.6.7 to 1.6.8 Version 1.6.7 is vulnerable to [CVE-2025-7962](https://nvd.nist.gov/vuln/detail/CVE-2025-7962), an SMTP injection flaw allowing attackers to inject arbitrary SMTP commands via `\r\n` characters in UTF-8 encoded input. ## Binary compatibility The fix in 1.6.8 is purely internal - a private `validateCommand()` method was added to `SMTPTransport.sendCommand()`. No public API was changed. The only other changes in 1.6.8 are an internal NTLM auth fix and logging improvements. Diff of the security fix: [eclipse-ee4j/mail@cc9b954](https://github.com/eclipse-ee4j/mail/commit/cc9b954f3816f18f1b96dd50b1f8f51b3116462d) ## References - https://nvd.nist.gov/vuln/detail/CVE-2025-7962 - https://github.com/advisories/GHSA-9342-92gg-6v29 - https://bugs.openjdk.org/browse/JDK-8024695 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
