Bump com.sun.mail:jakarta.mail from 1.6.7 to 1.6.8.#395
Bump com.sun.mail:jakarta.mail from 1.6.7 to 1.6.8.#395garydgregory merged 1 commit intoapache:1.xfrom
Conversation
henricook
changed the title
|
@garydgregory I hope this looks right for the backport, please LMK |
henricook
changed the title
|
I fixed the Jacva 25+ failures the same way I did in master. Please rebase on git master and I'll kick off another build. The CVE refers to the Eclipse Angus libraries, not com.sun.mail, so the PR title is inappropriate. |
…to 1.6.8 Version 1.6.7 is vulnerable to CVE-2025-7962, an SMTP injection flaw allowing attackers to inject arbitrary SMTP commands via \r\n characters in UTF-8 encoded input. The fix in 1.6.8 adds input validation in SMTPTransport.sendCommand() via a private validateCommand() method. No public API changes - binary compatible with 1.6.7.
henricook
force-pushed
the
fix/CVE-2025-7962-1.x
branch
from
c81e729 to
405f12e
Compare
Appreciate your work holding my hand on my first contrib here Gary! I've rebased now |
henricook
changed the title
I've updated the title and body to reflect what I think I've understood as a confusing situation where jakarta-mail now lives in the eclipse namespace. |
henricook
changed the title
garydgregory
changed the title
|
PR merged, thank you! 👍 |
2 participants
Summary
com.sun.mail:jakarta.mailfrom 1.6.7 to 1.6.8Version 1.6.7 is vulnerable to CVE-2025-7962, an SMTP injection flaw allowing attackers to inject arbitrary SMTP commands via
\r\ncharacters in UTF-8 encoded input.Binary compatibility
The fix in 1.6.8 is purely internal - a private
validateCommand()method was added toSMTPTransport.sendCommand(). No public API was changed. The only other changes in 1.6.8 are an internal NTLM auth fix and logging improvements.Diff of the security fix: eclipse-ee4j/mail@cc9b954
Confusing package naming in the CVE
From https://eclipse-ee4j.github.io/angus-mail/
It might be wise for a future change to move away from the discontinued com.sun.mail:jakarta.mail namespace altogether.
References