USN-8465-1

It was discovered that Apache MINA lacked an acceptMatchers allowlist mechanism to restrict which classes could be deserialized. An attacker could use this to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-52046)

It was discovered that Apache MINA's deserialization filter could be bypassed via multiple code paths. An attacker could use this to execute arbitrary code by sending a specially crafted serialized object over the network. (CVE-2026-42778, CVE-2026-42779, CVE-2026-47065)

References

Affected packages

Ubuntu:Pro:22.04:LTS / mina2

Package

Name: mina2
Purl: pkg:deb/ubuntu/mina2?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.5-1ubuntu0.1~esm1

Affected versions

2.*

2.1.4-2

2.1.5-1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.1.5-1ubuntu0.1~esm1",
            "binary_name": "libmina2-java"
        }
    ]
}

Database specific

cves_map

{
    "cves": [],
    "ecosystem": "Ubuntu:Pro:22.04:LTS"
}

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8465-1.json"

Ubuntu:Pro:24.04:LTS / mina2

Package

Name: mina2
Purl: pkg:deb/ubuntu/mina2?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.1-3ubuntu0.1~esm1

Affected versions

2.*

2.2.1-3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.2.1-3ubuntu0.1~esm1",
            "binary_name": "libmina2-java"
        }
    ]
}

Database specific

cves_map

{
    "cves": [],
    "ecosystem": "Ubuntu:Pro:24.04:LTS"
}

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8465-1.json"

Ubuntu:Pro:26.04:LTS / mina2

Package

Name: mina2
Purl: pkg:deb/ubuntu/mina2?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.1-4ubuntu0.1~esm1

Affected versions

2.*

2.2.1-4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.2.1-4ubuntu0.1~esm1",
            "binary_name": "libmina2-java"
        }
    ]
}

Database specific

cves_map

{
    "cves": [],
    "ecosystem": "Ubuntu:Pro:26.04:LTS"
}

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8465-1.json"