Source: mina2 Version: 2.2.1-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for mina2. CVE-2026-48827[0]: | Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. | Lack of path validation in git-upload-pack, git-receive-pack, and | other git operations allows users authenticated over SSH access to | git repositories outside the configured git server root directory. | Applications are affected if they use org.apache.sshd:sshd-git. | Applications not using sshd-git are not affected. Users are | advised to upgrade affected applications to Apche MINA SSHD 2.18.0, | which fixes the issue. The issue also is present in the pre- | release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major | version 3.0.0. Again, applications are affected only if they use | sshd-git. Upgrade affected applications to 3.0.0-M4. We would | like to point out that a professional git server should not rely | solely on file system layout and permissions, but should implement | additional security controls to govern access to git repositories | and operations allowed on particular git repositories. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48827 https://www.cve.org/CVERecord?id=CVE-2026-48827 [1] https://www.openwall.com/lists/oss-security/2026/05/30/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
