hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37345] - ProxyCredentials disclosed to remote host
Date Thu, 03 Nov 2005 19:59:59 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37345>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37345


olegk@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|blocker                     |normal




------- Additional Comments From olegk@apache.org  2005-11-03 20:59 -------
All right. Things are not as bad as they seemed initially. 

(1) The proxy credentials are leaked to the origin server via a secure tunnel
ONLY if the preemptive authentication is being used. The preemptive
authentication by itself is a hack and a security risk and should be avoided at
all costs.

(2) This bug does not affect any of the official releases thanks to the Bug 37197

There is no reason to block the release.

A fix coming shortly.

Oleg

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message