[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109358: unblock: mina2/2.2.1-4

Control: tags -1 confirmed moreinfo

Hi,

On Wed, Jul 16, 2025 at 12:02:07AM +0200, Pierre Gruet wrote:
> This is a request for upload to unstable + unblock for the key package mina2,
> which has NOT yet been uploaded to unstable.
> 
> [ Reason ]
> mina2 is affected by grave bug #1091530 about CVE-2024-52046. I have prepared
> an upload that fixes it by following the security tracker
>     https://security-tracker.debian.org/tracker/CVE-2024-52046
> 
> As
>     https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
> explains, the CVE is fixed by applying commit cdb59eb, visible at
>     https://github.com/apache/mina/commit/cdb59eb6131696a440870ab89ad0e20804eb5ca7#diff-cb3019e35ae0f7cccf4b546a473fbb784e94624dc736a754e3ad01633ceaf32dR401-R402
> and by reworking calls to ObjectSerializationDecoder in the rdeps of mina2. I
> checked that no Debian package calls this class.
> 
> My only change to the package is applying the above-cited commit.

I haven't tried to understand the details of this change. I assume that you
checked that all the changes in the patch are necessary for to fix the
security issue. If that's the case:

Please go ahead with the upload and remove the moreinfo tag from this unblock
request once the new upload has been in unstable for a few days, and you think
it's ready to migrate.

Thanks,

Ivo
Reply to: