axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5761) Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2
Date Tue, 19 Apr 2016 19:16:25 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15248448#comment-15248448
] 

Andreas Veithen commented on AXIS2-5761:
----------------------------------------

I don't think we can just remove commons-httpclient 3.1. What we can do is to make the httpclient
4.x based transport the default and deprecate the commons-httpclient 3.1 based one. Maybe
we can also move these two implementations to two different Maven modules, so that people
switching to the httpclient 4.x based transport don't get the dependency on commons-httpclient
3.1. Note that all this would only be in scope for 1.8.0, not for a 1.7.x maintenance release.

> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2 
> ----------------------------------------------------------------------------
>
>                 Key: AXIS2-5761
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5761
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.7.0, 1.7.1
>            Reporter: Deepak
>
> Hi
> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2, as this
version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153,
CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache
Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> Additional information on these vulnerabilities can be found at these links:
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95328
> http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html
> Dependency of commons-httpclient-3.1.jar should be upgraded to the newer GA versions
available (https://hc.apache.org/downloads.cgi) 
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message