Ah, great, thanks JB! - Eric L
On Fri, Oct 23, 2020 at 6:29 AM Jean-Baptiste Onofre <j...@nanthrax.net> wrote: > Hi Eric, > > Yup: https://issues.apache.org/jira/browse/KARAF-6890 > > Regards > JB > > Le 23 oct. 2020 à 03:19, Eric Lilja <mindcoo...@gmail.com> a écrit : > > Nice! Great to see! But is there a Jira for this issue for the upcoming > 4.2.11? > > - Eric L > > On Thu, Oct 22, 2020 at 7:17 AM Jean-Baptiste Onofre <j...@nanthrax.net> > wrote: > >> The update has been already merged ;) >> >> Thanks >> Regards >> JB >> >> > Le 21 oct. 2020 à 11:04, Pattan, Sachin <sachin.pat...@sap.com> a >> écrit : >> > >> > Dear Colleagues, >> > >> > As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587 < >> https://bugzilla.redhat.com/show_bug.cgi?id=1886587>, http.client >> librarires below version 4.5.13 have the vulnerability CVE-2020-13956 ( >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 < >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>). >> > >> > As Karaf 4.2.x rebundles http.client (4.5.6) classes as seen at >> https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180 >> < >> https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180>. >> This makes it vulnerable and hence our security scans are detecting it as a >> vulnerable library. I created the the PR >> https://github.com/apache/karaf/pull/1243 < >> https://github.com/apache/karaf/pull/1243> to update httpclient.version >> to 4.5.13. Please take a look at it whenever it is possible and include it >> in the upcoming release of Karaf 4.2.x if it fits good. >> > >> > Kind regards, >> > >> > >> > >> > Sachin Pattan >> > The Tools Team >> > WDF07 X1.65 >> >> >
