Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

It seems that we are affected by https://nvd.nist.gov/vuln/detail/CVE-2025-7962 / https://access.redhat.com/security/cve/cve-2025-48924. It is explained here https://gitlab.eclipse.org/security/cve-assignement/-/issues/67 that this also affects angus implementation in version 2.0.3. So we need to upgrade to 2.0.4 that fixed the issue in this commit https://github.com/eclipse-ee4j/angus-mail/commit/84fe702f7a4837f325b878f17fee148a7e8ba951.

A flaw was found in com.sun.mail/jakarta.mail. The jakarta.mail component allows an attacker to inject SMTP messages by exploiting improper handling of carriage return and newline characters encoded in UTF-8. An unauthenticated attacker can leverage this vulnerability to send arbitrary SMTP messages. This injection occurs via crafted email content, potentially leading to unauthorized message transmission.

Low severity.

Version

26.3.2

Regression

[ ] The issue is a regression

Expected behavior

Upgrade to angus 2.0.4.

Actual behavior

we are in angus 2.0.3 which is affected by that CVE.

How to Reproduce?

N/A

Anything else?

No response