Your message dated Tue, 22 Jul 2025 09:49:00 +0000
with message-id <[email protected]>
and subject line Bug#1091530: fixed in mina2 2.2.1-4
has caused the Debian Bug report #1091530,
regarding mina2: CVE-2024-52046
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1091530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091530
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mina2
Version: 2.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mina2.
CVE-2024-52046[0]:
| The ObjectSerializationDecoder in Apache MINA uses Java’s native
| deserialization protocol to process incoming serialized data but
| lacks the necessary security checks and defenses. This vulnerability
| allows attackers to exploit the deserialization process by sending
| specially crafted malicious serialized data, potentially leading to
| remote code execution (RCE) attacks.
| This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and
| will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's
| also important to note that an application using MINA core library
| will only be affected if the IoBuffer#getObject() method is called,
| and this specific method is potentially called when adding a
| ProtocolCodecFilter instance using the
| ObjectSerializationCodecFactory class in the filter chain. If your
| application is specifically using those classes, you have to upgrade
| to the latest version of MINA core library. Upgrading will not
| be enough: you also need to explicitly allow the classes the decoder
| will accept in the ObjectSerializationDecoder instance, using one of
| the three new methods: /** * Accept class names where
| the supplied ClassNameMatcher matches for * deserialization,
| unless they are otherwise rejected. * * @param
| classNameMatcher the matcher to use */ public void
| accept(ClassNameMatcher classNameMatcher) /** * Accept
| class names that match the supplied pattern for *
| deserialization, unless they are otherwise rejected. * *
| @param pattern standard Java regexp */ public void
| accept(Pattern pattern) /** * Accept the wildcard
| specified classes for deserialization, * unless they are
| otherwise rejected. * * @param patterns Wildcard file
| name patterns as defined by * {@link
| org.apache.commons.io.FilenameUtils#wildcardMatch(String, String)
| FilenameUtils.wildcardMatch} */ public void
| accept(String... patterns) By default, the decoder will
| reject *all* classes that will be present in the incoming data.
| Note: The FtpServer, SSHd and Vysper sub-project are not affected by
| this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52046
https://www.cve.org/CVERecord?id=CVE-2024-52046
[1] https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mina2
Source-Version: 2.2.1-4
Done: Pierre Gruet <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mina2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <[email protected]> (supplier of updated mina2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 Jul 2025 23:47:20 +0200
Source: mina2
Architecture: source
Version: 2.2.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Pierre Gruet <[email protected]>
Closes: 1091530
Changes:
mina2 (2.2.1-4) unstable; urgency=medium
.
* Team upload
* Fixing CVE-2024-52046: The ObjectSerializationDecoder in Apache MINA uses
Java’s native deserialization protocol to process incoming serialized
data but lacks the necessary security checks and defenses. This
vulnerability allows attackers to exploit the deserialization process by
sending specially crafted malicious serialized data, potentially leading to
remote code execution (RCE) attacks.
Closes: #1091530
Checksums-Sha1:
0da4d640637d5c42cabc2b2c1883dc48156736fb 2189 mina2_2.2.1-4.dsc
525a8aac3c97862bc8c3ff71d38a86c825209344 21212 mina2_2.2.1-4.debian.tar.xz
54b18c999bf64bf1579892f705d6326832aa94cb 15214 mina2_2.2.1-4_amd64.buildinfo
Checksums-Sha256:
5e6af53180e548d6435ef243f10e289d5e20d18d5fb495378d23cd4fe3dd1254 2189
mina2_2.2.1-4.dsc
150c9dc97528c1f4204b8452786d8c9ee9cedd9f7caf3357150a3eb48881c7b8 21212
mina2_2.2.1-4.debian.tar.xz
7d117456845ce91a75cd074d2e370ebe4cb814b7212406ad0f34ad4fb9e41b07 15214
mina2_2.2.1-4_amd64.buildinfo
Files:
8db51ebe78141ff2a41fe655ee69d9d0 2189 java optional mina2_2.2.1-4.dsc
90f0ef17172a78d77a59f047f7c7a8cd 21212 java optional
mina2_2.2.1-4.debian.tar.xz
39fc9c9bf45143559baa98ed51ceffd6 15214 java optional
mina2_2.2.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmh/WOEACgkQYAMWptwn
dHZfGg/9Fj0GjvHHkesC+8F0Z9LlCoF7SO8oto2A1DYMMSze56aDsiNyBtpS0qHZ
N9LIoFxbMB0M9vFCfdGuwwpuXKC71G9+osAxMfIMWi6MMjdGuSBIalYbDQ82wL8z
Wt6KJSsFZ031MgrEyvri2q+ackuox7377Q6k2ujtfGZPgAekoLSl1CQteKOPCUvo
xkXrRtSSH2AfYdiKI/AiY1UEPalnkoQoS/L7AQcSlG8H+K11w57U06Lojx29gZmL
AZZ62/dph1G22ORl0bbRAUYxLfPX673QwE0yCAZRLz69DRq6IikxPfpZcqJGbBWf
/TlZ6pMR+H6LKo3WPNNfBbu8nBykj8pB6XrG4fyRpaR8WF5ORhccIg9r9/AEbS2g
h7rwpwx413vgsRtNOjfOPpIZ3zBdbLx+O+xqwEZtSscUO79PCeITTUlgs5OlBO5g
CoPCx1MFJUXqENYWsTEWgTGch6if7HTy2xeJF4rzL/0zPeuVczs6qZ3QP+X5wtTU
oLBXHauh0Jt85mcLywtVboMXIVu0eeNIC3AoCco9d0hzXAa9baABbcADxoWR9vll
E6TvG6FAVk5ajuj0KOnvlMJTgXN5wAhxcFhcm1Lp4jHXo1znSPDXM16+NoeBXE6t
evLNe1k+npXKacv14PjKV9kXnUO4QUoashiQJgT0aZIUfpIc5EU=
=3w1w
-----END PGP SIGNATURE-----
pgpIY7ugC3KZ4.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
