1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109358: unblock: mina2/2.2.1-4

    From Ivo De Decker@21:1/5 to Pierre Gruet on Mon Jul 21 20:50:01 2025
    XPost: linux.debian.devel.release

    Control: tags -1 confirmed moreinfo

    Hi,

    On Wed, Jul 16, 2025 at 12:02:07AM +0200, Pierre Gruet wrote:
    This is a request for upload to unstable + unblock for the key package mina2, which has NOT yet been uploaded to unstable.

    [ Reason ]
    mina2 is affected by grave bug #1091530 about CVE-2024-52046. I have prepared an upload that fixes it by following the security tracker
    https://security-tracker.debian.org/tracker/CVE-2024-52046

    As
    https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 explains, the CVE is fixed by applying commit cdb59eb, visible at
    https://github.com/apache/mina/commit/cdb59eb6131696a440870ab89ad0e20804eb5ca7#diff-cb3019e35ae0f7cccf4b546a473fbb784e94624dc736a754e3ad01633ceaf32dR401-R402
    and by reworking calls to ObjectSerializationDecoder in the rdeps of mina2. I checked that no Debian package calls this class.

    My only change to the package is applying the above-cited commit.

    I haven't tried to understand the details of this change. I assume that you checked that all the changes in the patch are necessary for to fix the
    security issue. If that's the case:

    Please go ahead with the upload and remove the moreinfo tag from this unblock request once the new upload has been in unstable for a few days, and you think it's ready to migrate.

    Thanks,

    Ivo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)