hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-15767) Upgrade httpclient dependency
Date Wed, 04 May 2016 18:26:12 GMT
Ted Yu created HBASE-15767:

             Summary: Upgrade httpclient dependency
                 Key: HBASE-15767
                 URL: https://issues.apache.org/jira/browse/HBASE-15767
             Project: HBase
          Issue Type: Bug
            Reporter: Ted Yu

Currently commons-httpclient 3.1 is used.

This is already end-of-life by apache.
We should move to 4.3.6 or later.


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java
in Apache HttpComponents HttpClient before 4.3.6 ignores the http. socket.timeout configuration
setting during an SSL handshake, which allows remote attackers to cause a denial of service
(HTTPS call hang) via unspecified vectors.

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant
Java SDK and other products, does not verify that the server hostname matches a domain  name
in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

This message was sent by Atlassian JIRA

View raw message