Bug#1138634: mina2: CVE-2026-48827
Salvatore Bonaccorso
carnil at debian.org
Mon Jun 1 16:34:47 BST 2026
Source: mina2
Version: 2.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for mina2.
CVE-2026-48827[0]:
| Path traversal vulnerability in Apache MINA SSHD bundle sshd-git.
| Lack of path validation in git-upload-pack, git-receive-pack, and
| other git operations allows users authenticated over SSH access to
| git repositories outside the configured git server root directory.
| Applications are affected if they use org.apache.sshd:sshd-git.
| Applications not using sshd-git are not affected. Users are
| advised to upgrade affected applications to Apche MINA SSHD 2.18.0,
| which fixes the issue. The issue also is present in the pre-
| release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major
| version 3.0.0. Again, applications are affected only if they use
| sshd-git. Upgrade affected applications to 3.0.0-M4. We would
| like to point out that a professional git server should not rely
| solely on file system layout and permissions, but should implement
| additional security controls to govern access to git repositories
| and operations allowed on particular git repositories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48827
https://www.cve.org/CVERecord?id=CVE-2026-48827
[1] https://www.openwall.com/lists/oss-security/2026/05/30/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list