From issues-return-148953-archive-asf-public=cust-asf.ponee.io@maven.apache.org Wed May 8 05:48:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 67633180763 for ; Wed, 8 May 2019 07:48:02 +0200 (CEST) Received: (qmail 1647 invoked by uid 500); 8 May 2019 05:48:01 -0000 Mailing-List: contact issues-help@maven.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@maven.apache.org Delivered-To: mailing list issues@maven.apache.org Received: (qmail 1575 invoked by uid 99); 8 May 2019 05:48:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 May 2019 05:48:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8F534E2B89 for ; Wed, 8 May 2019 05:48:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 3541725815 for ; Wed, 8 May 2019 05:48:00 +0000 (UTC) Date: Wed, 8 May 2019 05:48:00 +0000 (UTC) From: "Sylwester Lachiewicz (JIRA)" To: issues@maven.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DOXIA-576) Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DOXIA-576?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D16835= 329#comment-16835329 ]=20 Sylwester Lachiewicz commented on DOXIA-576: -------------------------------------------- Done in [2a0566c0|https://gitbox.apache.org/repos/asf?p=3Dmaven-doxia.git;a= =3Dcommit;h=3D2a0566c0e6dd4fa35fc601acbcaa98cda081f797]=C2=A0 > Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient) > --------------------------------------------------------------- > > Key: DOXIA-576 > URL: https://issues.apache.org/jira/browse/DOXIA-576 > Project: Maven Doxia > Issue Type: Dependency upgrade > Reporter: Sylwester Lachiewicz > Assignee: Sylwester Lachiewicz > Priority: Minor > Fix For: 1.9 > > Time Spent: 10m > Remaining Estimate: 0h > > The following vulnerabilities are fixed with an upgrade: > [CVE-2011-1498|https://nvd.nist.gov/vuln/detail/CVE-2011-1498] > Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used w= ith an authenticating proxy server, sends the Proxy-Authorization header to= the origin server, which allows remote web servers to obtain sensitive inf= ormation by logging this header. [Snyk.io details|https://snyk.io/vuln/SNYK= -JAVA-ORGAPACHEHTTPCOMPONENTS-30644] > [CVE-2012-6153|https://nvd.nist.gov/vuln/detail/CVE-2012-6153] > http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before = 4.2.3 does not properly verify that the server hostname matches a domain na= me in the subject's Common Name (CN) or subjectAltName field of the X.509 c= ertificate, which allows man-in-the-middle attackers to spoof SSL servers v= ia a certificate with a subject that specifies a common name in a field tha= t is not the CN field. NOTE: this issue exists because of an incomplete fix= for CVE-2012-5783. [Snyk.io details|https://snyk.io/vuln/SNYK-JAVA-ORGAPAC= HEHTTPCOMPONENTS-30645] > [CVE-2014-3577|https://nvd.nist.gov/vuln/detail/CVE-2014-3577] > Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used w= ith an authenticating proxy server, sends the Proxy-Authorization header to= the origin server, which allows remote web servers to obtain sensitive inf= ormation by logging this header. [Snyk.io details|https://snyk.io/vuln/SNYK= -JAVA-ORGAPACHEHTTPCOMPONENTS-30646] > [CVE-2015-5262|https://nvd.nist.gov/vuln/detail/CVE-2015-5262] > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents H= ttpClient before 4.3.6 ignores the http.socket.timeout configuration settin= g during an SSL handshake, which allows remote attackers to cause a denial = of service (HTTPS call hang) via unspecified vectors. [Snyk.io details|http= s://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30647] > HTTPCLIENT-1803 > Affected versions of the package are vulnerable to Directory Traversal, = which may allow access to sensitive files and data on the server. [Snyk.io = details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517] > Discovered with [Snyk.io|https://snyk.io/]=C2=A0scan. -- This message was sent by Atlassian JIRA (v7.6.3#76005)