Robert Kanter commented on OOZIE-2538:

Even though httpcore is only used in webapp, we should still declare the 
version at the root pom.  We should be declaring all dependency versions there 
and not declaring any versions in lower down pom files (except for some special 
cases where we need to use two versions of something (e.g. guava)).

> Update HttpClient versions to close security vulnerabilities
> ------------------------------------------------------------
>                 Key: OOZIE-2538
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2538
>             Project: Oozie
>          Issue Type: Bug
>          Components: core
>            Reporter: Abhishek Bafna
>            Assignee: Abhishek Bafna
>             Fix For: 4.3.0
>         Attachments: OOZIE-2538-01.patch, OOZIE-2538-02.patch, 
> OOZIE-2538.patch
> We learned that
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : 
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents 
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting 
> during an SSL handshake, which allows remote attackers to cause a denial of 
> service (HTTPS call hang) via unspecified vectors.
> Also, Commons HttpClient project is now end of life, and is no longer being 
> developed. It has been replaced by the Apache HttpComponents project in its 
> HttpClient and HttpCore modules, which offer better performance and more 
> flexibility.  http://hc.apache.org/httpclient-3.x/
> Hence, HttpClient version should be updated.

This message was sent by Atlassian JIRA

Reply via email to