On Tue, 2026-07-07 at 13:05 +0200, Marcel Stör wrote: > > The MessageConstraints in the 4.x line sets no constraints on the > > header line length and header max count by default. One can however > > easily configure MessageConstraints to have more conservative > > defaults > > without much effort. Better yet, one should migrate to the 5.x > > line. > > There is no excuse for not having done so. > > I fully agree. Unfortunately, there are projects out there that still > haven't done so. Hence, 4.x JARs still end up in my classpath even > though our own code uses 5.x. That is the reason I had to look into > this > CVE with a little more scrutiny than I usually do. > > > If anyone decides to throw a new vulnerability report at us, > > similar to > > CVE-2026-54399, my personal preference would be to declare > > HttpClient > > 4.x end-of-life the every same moment. > > > > HttpClient 4.x is dead, please stop kicking the corpse. > > Again, full ACK. However, Ryan upgrading the version to 4.4.17- > SNAPSHOT > in the 4.4.x branch[1] just sent a different signal. >
Ryan is welcome to do so. Whether or not there would be a public release off that branch is a whole different story. Oleg > [1] > https://github.com/apache/httpcomponents-core/commit/6b8bf91fcbcbb8fe48c6cf9bb57bcbb2dd64c96d > > -- > Marcel Stör, https://frightanic.com > My PGP key: https://frightanic.com/pgp/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
