Re: Update apache-httpclient to 4.15.3 to address CVE-2020-13956

Thu, 22 Oct 2020 21:29:29 -0700 

Hi Eric,

Yup: https://issues.apache.org/jira/browse/KARAF-6890 
<https://issues.apache.org/jira/browse/KARAF-6890>

Regards
JB

> Le 23 oct. 2020 à 03:19, Eric Lilja <mindcoo...@gmail.com> a écrit :
> 
> Nice! Great to see! But is there a Jira for this issue for the upcoming 
> 4.2.11?
> 
> - Eric L
> 
> On Thu, Oct 22, 2020 at 7:17 AM Jean-Baptiste Onofre <j...@nanthrax.net 
> <mailto:j...@nanthrax.net>> wrote:
> The update has been already merged ;)
> 
> Thanks
> Regards
> JB
> 
> > Le 21 oct. 2020 à 11:04, Pattan, Sachin <sachin.pat...@sap.com 
> > <mailto:sachin.pat...@sap.com>> a écrit :
> > 
> > Dear Colleagues, 
> >  
> > As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587 
> > <https://bugzilla.redhat.com/show_bug.cgi?id=1886587> 
> > <https://bugzilla.redhat.com/show_bug.cgi?id=1886587 
> > <https://bugzilla.redhat.com/show_bug.cgi?id=1886587>>, http.client 
> > librarires below version 4.5.13 have the vulnerability CVE-2020-13956 
> > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 
> > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956> 
> > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 
> > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>>).
> >  
> > As Karaf 4.2.x rebundles http.client (4.5.6) classes as seen at 
> > https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180 
> > <https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180>
> >  
> > <https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180
> >  
> > <https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180>>.
> >  This makes it vulnerable and hence our security scans are detecting it as 
> > a vulnerable library. I created the the PR 
> > https://github.com/apache/karaf/pull/1243 
> > <https://github.com/apache/karaf/pull/1243> 
> > <https://github.com/apache/karaf/pull/1243 
> > <https://github.com/apache/karaf/pull/1243>> to update httpclient.version 
> > to 4.5.13. Please take a look at it whenever it is possible and include it 
> > in the upcoming release of Karaf 4.2.x if it fits good.
> >  
> > Kind regards,
> >  
> >  
> > 
> > Sachin Pattan
> > The Tools Team
> > WDF07  X1.65
>

Reply via email to