On Tue, 2016-05-17 at 10:35 -0400, Miriam Celi wrote: > Hello HttpComponents Dev Team, > > Our team is trying to figure out if Apache HTTPclient 4.2.5 is > vulnerable to CVE-2014-3577 (Apache HttpComponents certificate > spoofing). I did not see Apache HTTPclient 4.2.5 listed as a > vulnerable version in the NIST Vulnerability Database CVE article > (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but > wanted to check with you in case that version has been missed from the > list or is actually ok to use (not vulnerable). The list of vulnerable > versions in the article are: >
All 4.2 versions are vulnerable https://github.com/apache/httpclient/blob/4.2.x/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
