Re: [CVE-2019-0231] MINA SSLFilter security Issue

[Doran Moppert <dmoppert () redhat com>]

On Sun, Apr 14, 2019 at 08:30:49AM +0200, Emmanuel Lecharny wrote:
> Description: Handling of the close_notify SSL/TLS message does not
> lead to a connection closure, leading the server to retain the socket
> opened and to have the client potentially receive clear-text messages
> which were supposed to be encrypted.
>
> This security issue is fixed by Apache MINA 2.0.21 or Apache MINA
> 2.0.21. Please migrate to those new versions.

Hi Emmanuel,

I think the above should read "2.0.21 or Apache MINA 2.1.1".  Is the 
commit fixing the issue 73e881ad9?  I am trying to figure out if our 
products using 1.1 need to consider a back-port.

Thanks,

--
Doran Moppert
Red Hat Product Security