Bug#1135347: mina2: CVE-2026-41409
Salvatore Bonaccorso
carnil at debian.org
Fri May 1 13:18:44 BST 2026
Source: mina2
Version: 2.2.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for mina2.
CVE-2026-41409[0]:
| The fix for CVE-2024-52046 in Apache MINA
| AbstractIoBuffer.getObject() was incomplete. The classname allowlist
| of classes allowed to be deserialized was applied too late after a
| static initializer in a class to be read might already have been
| executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27,
| 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in
| Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname
| allowlist earlier. Affected are applications using Apache MINA
| that call IoBuffer.getObject(). Applications using Apache MINA
| are advised to upgrade
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41409
https://www.cve.org/CVERecord?id=CVE-2026-41409
[1] https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list