maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sylwester Lachiewicz (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (DOXIA-576) Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient)
Date Wed, 08 May 2019 05:48:00 GMT

     [ https://issues.apache.org/jira/browse/DOXIA-576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sylwester Lachiewicz closed DOXIA-576.
--------------------------------------
    Resolution: Fixed

> Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient)
> ---------------------------------------------------------------
>
>                 Key: DOXIA-576
>                 URL: https://issues.apache.org/jira/browse/DOXIA-576
>             Project: Maven Doxia
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Minor
>             Fix For: 1.9
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The following vulnerabilities are fixed with an upgrade:
> [CVE-2011-1498|https://nvd.nist.gov/vuln/detail/CVE-2011-1498]
>  Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating
proxy server, sends the Proxy-Authorization header to the origin server, which allows remote
web servers to obtain sensitive information by logging this header. [Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30644]
> [CVE-2012-6153|https://nvd.nist.gov/vuln/detail/CVE-2012-6153]
>  http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not
properly verify that the server hostname matches a domain name in the subject's Common Name
(CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers
to spoof SSL servers via a certificate with a subject that specifies a common name in a field
that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
[Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30645]
> [CVE-2014-3577|https://nvd.nist.gov/vuln/detail/CVE-2014-3577]
>  Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating
proxy server, sends the Proxy-Authorization header to the origin server, which allows remote
web servers to obtain sensitive information by logging this header. [Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646]
> [CVE-2015-5262|https://nvd.nist.gov/vuln/detail/CVE-2015-5262]
>  http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before
4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which
allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
[Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30647]
> HTTPCLIENT-1803
>  Affected versions of the package are vulnerable to Directory Traversal, which may allow
access to sensitive files and data on the server. [Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517]
> Discovered with [Snyk.io|https://snyk.io/] scan.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message