ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Ivy - No more support for commons-httpclient 2.x in runtime classpath?
Date Mon, 24 Jul 2017 06:13:51 GMT
On 2017-07-24, Jaikiran Pai wrote:

> Ivy currently uses commons-httpclient for dealing with HTTP
> repositories. This is an internal implementation detail of Ivy. The
> way it's implemented, it allows the user to use a version of their
> choice, of this library, by placing them in the runtime classpath
> (similar to some other libraries we use). The implementation
> internally checks for the presence of 2.x as well as 3.x version of
> library to decide which version to use at _runtime_ .

Let me point out that even 3.x has long reached end of life. It's
successor fixed CVE-2012-5783[1] with 4.2.3 but there hasn't been any
3.x release that has fixed it AFAIK.

Stefan

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message