On Tue, 2026-07-07 at 13:05 +0200, Marcel Stör wrote:
> > The MessageConstraints in the 4.x line sets no constraints on the
> > header line length and header max count by default. One can however
> > easily configure MessageConstraints to have more conservative
> > defaults
> > without much effort. Better yet, one should migrate to the 5.x
> > line.
> > There is no excuse for not having done so.
> 
> I fully agree. Unfortunately, there are projects out there that still
> haven't done so. Hence, 4.x JARs still end up in my classpath even 
> though our own code uses 5.x. That is the reason I had to look into
> this 
> CVE with a little more scrutiny than I usually do.
> 
> > If anyone decides to throw a new vulnerability report at us,
> > similar to
> > CVE-2026-54399, my personal preference would be to declare
> > HttpClient
> > 4.x end-of-life the every same moment.
> > 
> > HttpClient 4.x is dead, please stop kicking the corpse.
> 
> Again, full ACK. However, Ryan upgrading the version to 4.4.17-
> SNAPSHOT 
> in the 4.4.x branch[1] just sent a different signal.
> 

Ryan is welcome to do so. Whether or not there would be a public
release off that branch is a whole different story.

Oleg


> [1] 
> https://github.com/apache/httpcomponents-core/commit/6b8bf91fcbcbb8fe48c6cf9bb57bcbb2dd64c96d
> 
> -- 
> Marcel Stör, https://frightanic.com
> My PGP key: https://frightanic.com/pgp/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to