[
https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15494931#comment-15494931
]
Robert Kanter commented on OOZIE-2538:
--------------------------------------
Why do we specify the versions in the webapp pom? Shouldn't they go in the
root pom?
> Update HttpClient versions to close security vulnerabilities
> ------------------------------------------------------------
>
> Key: OOZIE-2538
> URL: https://issues.apache.org/jira/browse/OOZIE-2538
> Project: Oozie
> Issue Type: Bug
> Components: core
> Reporter: Abhishek Bafna
> Assignee: Abhishek Bafna
> Fix For: 4.3.0
>
> Attachments: OOZIE-2538-01.patch, OOZIE-2538.patch
>
>
> We learned that
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 :
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting
> during an SSL handshake, which allows remote attackers to cause a denial of
> service (HTTPS call hang) via unspecified vectors.
> Also, Commons HttpClient project is now end of life, and is no longer being
> developed. It has been replaced by the Apache HttpComponents project in its
> HttpClient and HttpCore modules, which offer better performance and more
> flexibility. http://hc.apache.org/httpclient-3.x/
> Hence, HttpClient version should be updated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
