falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balu Vellanki (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FALCON-1979) Update HttpClient versions to close security vulnerabilities
Date Tue, 24 May 2016 21:02:12 GMT
Balu Vellanki created FALCON-1979:

             Summary: Update HttpClient versions to close security vulnerabilities
                 Key: FALCON-1979
                 URL: https://issues.apache.org/jira/browse/FALCON-1979
             Project: Falcon
          Issue Type: Bug
            Reporter: Balu Vellanki
            Assignee: Balu Vellanki
             Fix For: 0.10

We learned that 

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java
in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration
setting during an SSL handshake, which allows remote attackers to cause a denial of service
(HTTPS call hang) via unspecified vectors.

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant
Java SDK and other products, does not verify that the server hostname matches a domain name
in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Hence, HttpClient version should be updated. 

This message was sent by Atlassian JIRA

View raw message