Hi Gary, To clarify, the semver notation we’re using—“>=5.4.0 <5.4.3”—is intended to cover only versions 5.4.0, 5.4.1, and 5.4.2, explicitly excluding 5.4.3 (which contains the fix). The “<5.4.3” part ensures that 5.4.3 isn’t matched, even though it might initially seem like it could be.
Best regards, Arturo On Fri, Mar 28, 2025 at 9:34 AM Gary Gregory <garydgreg...@gmail.com> wrote: > On Fri, Mar 28, 2025, 08:28 Arturo Bernal <aber...@apache.org> wrote: > > > *Severity:* Moderate > > > > *Affected Versions:* > > > > - > > > > Apache HttpClient 5.4.x > > *(Earlier versions are unaffected.)* > > > > That pattern doesn't make sense to me since it matches 5.4.3. It would be > list versions of use the less than and greater than pattern. > > Gary > > > > *Description:* > > A bug in Apache HttpClient 5.4.x effectively disables Public Suffix List > > (PSL) validation, impacting cookie management and host name verification. > > This may lead to unauthorized access or information disclosure. > > > > Users are advised to upgrade to *Apache HttpClient 5.4.3*, which > includes a > > fix for this issue. > > > > *Credit:* > > Discovered by the Apache HttpClient team. Fix contributed by Joe Gallo. > > > > *References:* > > > > - > > > > Introduction PR #574: > > https://github.com/apache/httpcomponents-client/pull/574 > > - > > > > Fix PR #621: https://github.com/apache/httpcomponents-client/pull/621 > > - > > > > Apache HttpClient Project: > > https://hc.apache.org/httpcomponents-client-5.4.x/ > > - > > > > CVE Record (once public): > > https://www.cve.org/CVERecord?id=CVE-2025-27820 > > > > Best regards, > > > > Arturo > > >
