On Mon, 2026-07-06 at 22:09 +0200, Marcel Stör wrote: > Thanks for the feedback Gary. I am aware of the differences and > incompatibilities. > > A CPE is unrelated to the Java package and Maven coordinates. Its > scope > is a /product/ rather than a /package/. Hence, > "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" applies to the > entire HC product line. > > To assess the applicability of the vulnerability, I'm a trying to > find > out if HC v4.4 is just as vulnerable as v5 is/was. I see that > MessageConstraints.Builder uses the same pattern as Http1Config that > Oleg fixed.
The MessageConstraints in the 4.x line sets no constraints on the header line length and header max count by default. One can however easily configure MessageConstraints to have more conservative defaults without much effort. Better yet, one should migrate to the 5.x line. There is no excuse for not having done so. If anyone decides to throw a new vulnerability report at us, similar to CVE-2026-54399, my personal preference would be to declare HttpClient 4.x end-of-life the every same moment. HttpClient 4.x is dead, please stop kicking the corpse. Oleg > > On 06.07.2026 21:14, Gary Gregory wrote: > > The CVE doesn't talk about 4.x because it lives in a different Java > > package and different Maven coordinates. 5.x is not a drop in > > replacement for 4.x. If you tried to replace 4.x with 5.x, your app > > wouldn't run. So it doesn't make sense for a report to talk about > > 4.x > > and 5.x, except in the most general terms. > -- > Marcel Stör, https://frightanic.com > My PGP key: https://frightanic.com/pgp/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
