Return-Path: 
 <httpclient-users-return-13226-apmail-hc-httpclient-users-archive=hc.apache.org@hc.apache.org>
X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org
Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3B23018B9A
	for <apmail-hc-httpclient-users-archive@www.apache.org>;
 Thu,  5 Nov 2015 21:03:10 +0000 (UTC)
Received: (qmail 78605 invoked by uid 500); 5 Nov 2015 21:03:05 -0000
Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org
Received: (qmail 78559 invoked by uid 500); 5 Nov 2015 21:03:04 -0000
Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:httpclient-users-help@hc.apache.org>
List-Unsubscribe: <mailto:httpclient-users-unsubscribe@hc.apache.org>
List-Post: <mailto:httpclient-users@hc.apache.org>
List-Id: <httpclient-users.hc.apache.org>
Reply-To: "HttpClient User Discussion" <httpclient-users@hc.apache.org>
Delivered-To: mailing list httpclient-users@hc.apache.org
Received: (qmail 78547 invoked by uid 99); 5 Nov 2015 21:03:04 -0000
Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Nov 2015 21:03:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
 with ESMTP id 031241A41DE
	for <httpclient-users@hc.apache.org>; Thu,  5 Nov 2015 21:03:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.68
X-Spam-Level: 
X-Spam-Status: No, score=0.68 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	KAM_ASCII_DIVIDERS=0.8, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
	autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new,
 port 10024)
	with ESMTP id XA6RDspDp9a5 for <httpclient-users@hc.apache.org>;
	Thu,  5 Nov 2015 21:02:58 +0000 (UTC)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com
 [209.85.217.177])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTPS id C477A21277
	for <httpclient-users@hc.apache.org>; Thu,  5 Nov 2015 21:02:57 +0000 (UTC)
Received: by lbblt2 with SMTP id lt2so25514634lbb.3
        for <httpclient-users@hc.apache.org>;
 Thu, 05 Nov 2015 13:02:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=uRHVXGAfayXptQJ0Zkf8QoPOth7Dd+EFmH6IQQrXhoc=;
        b=yZJt3X8BIqMXLWnQvjQ/IGms0el1VrPd4ArAO6xJyeOxgsw1kzoj1LAexOA4DsW+WC
         0bd4eCU7Tfmnee+rH/PQluOp3WGNC0nVy+oYYk4ufyI7hcq34uvflsMWlJfayTZaI38V
         eG6eX7jQx6dnPfk2ILbYOg1MOtilSC3dOJih4Na6ez7atulQ51YFYcBHsxW7oKyjWuSC
         s/7dp/s+KTvQOH1PINA2cGqn61akrEvoGha/xqsB4sfK2bx3jdY6O0BZzeCL3s+xVW0W
         cLK9p7f48uOvuRPovoCFseZqVtgMsBtMyjmHvIPoz1+plvaG9fcBo+dRvLNelBwHd5WA
         /f8w==
MIME-Version: 1.0
X-Received: by 10.112.61.226 with SMTP id t2mr5045555lbr.11.1446757376920;
 Thu, 05 Nov 2015 13:02:56 -0800 (PST)
Received: by 10.25.79.205 with HTTP; Thu, 5 Nov 2015 13:02:56 -0800 (PST)
In-Reply-To: <1446736422.21822.8.camel@apache.org>
References: 
 <CAF8t5XtY2xsfVNRTSevxkpjj5wf9L2T7pkzL6v=Sxncb+mVWVg@mail.gmail.com>
	<1446736422.21822.8.camel@apache.org>
Date: Thu, 5 Nov 2015 22:02:56 +0100
Message-ID: 
 <CAF8t5XuRfDU893Enm0FevO8s211xU5HNZ0dxCqmdW_66Z-Tb1Q@mail.gmail.com>
Subject: Re: Question on CVE-2015-526
From: Aki Yoshida <elakito@gmail.com>
To: HttpClient User Discussion <httpclient-users@hc.apache.org>
Content-Type: text/plain; charset=UTF-8

Hi Oleg,
Thanks. That answered my question.
regards, aki

2015-11-05 16:13 GMT+01:00 Oleg Kalnichevski <olegk@apache.org>:
> On Thu, 2015-11-05 at 13:12 +0100, Aki Yoshida wrote:
>> Hi,
>> I have a question about CVE-2015-5262 [1] which talks about an issue
>> regarding Httpclient before version 4.3.6. The referred jira ticket
>> HTTPCLIENT-1478 [2] from there mentions that this issue has been fixed
>> in 4.3.4.
>>
>>
>> Could someone clarify the situation? Is there indeed an issue with
>> 4.3.4 and 4.3.5 which is for security reasons not publicly linked from
>> the above CVE or if there is an error in either of the documents?
>>
>
> No, there is not. HTTPCLIENT-1478 affected deprecated code only. It did
> not affect productive code to start with. CVE-2015-5262 should have
> never been raised in the first place but some people think being
> credited as a reporter of CVE entry is cool.
>
> Oleg
>
>> Regards, Aki
>> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
>> [2] https://issues.apache.org/jira/browse/HTTPCLIENT-1478
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org