Abhishek Bafna updated OOZIE-2538:
    Attachment: OOZIE-2538-02.patch

Thanks [~rkanter] for the review.

Removed the version {{httpclient.version}} for {{httpclient}} dependency as it 
will be coming from main pom.
{{httpcore.version}} version property is defined in the main pom and used in 
the {{webapp}} pom.xml. The {{httpcore}} dependency is used only once i.e. 
{{webapp}} module.

> Update HttpClient versions to close security vulnerabilities
> ------------------------------------------------------------
>                 Key: OOZIE-2538
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2538
>             Project: Oozie
>          Issue Type: Bug
>          Components: core
>            Reporter: Abhishek Bafna
>            Assignee: Abhishek Bafna
>             Fix For: 4.3.0
>         Attachments: OOZIE-2538-01.patch, OOZIE-2538-02.patch, 
> OOZIE-2538.patch
> We learned that
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : 
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents 
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting 
> during an SSL handshake, which allows remote attackers to cause a denial of 
> service (HTTPS call hang) via unspecified vectors.
> Also, Commons HttpClient project is now end of life, and is no longer being 
> developed. It has been replaced by the Apache HttpComponents project in its 
> HttpClient and HttpCore modules, which offer better performance and more 
> flexibility.  http://hc.apache.org/httpclient-3.x/
> Hence, HttpClient version should be updated.

This message was sent by Atlassian JIRA

Reply via email to