[jira] [Assigned] (DOXIA-576) Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient)

Sat, 04 May 2019 01:22:50 -0700 


     [ 
https://issues.apache.org/jira/browse/DOXIA-576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sylwester Lachiewicz reassigned DOXIA-576:
------------------------------------------

    Assignee: Sylwester Lachiewicz

> Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient)
> ---------------------------------------------------------------
>
>                 Key: DOXIA-576
>                 URL: https://issues.apache.org/jira/browse/DOXIA-576
>             Project: Maven Doxia
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Minor
>             Fix For: 1.9
>
>
> The following vulnerabilities are fixed with an upgrade:
> [CVE-2011-1498|https://nvd.nist.gov/vuln/detail/CVE-2011-1498]
>  Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with 
> an authenticating proxy server, sends the Proxy-Authorization header to the 
> origin server, which allows remote web servers to obtain sensitive 
> information by logging this header. [Snyk.io 
> details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30644]
> [CVE-2012-6153|https://nvd.nist.gov/vuln/detail/CVE-2012-6153]
>  http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 
> 4.2.3 does not properly verify that the server hostname matches a domain name 
> in the subject's Common Name (CN) or subjectAltName field of the X.509 
> certificate, which allows man-in-the-middle attackers to spoof SSL servers 
> via a certificate with a subject that specifies a common name in a field that 
> is not the CN field. NOTE: this issue exists because of an incomplete fix for 
> CVE-2012-5783. [Snyk.io 
> details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30645]
> [CVE-2014-3577|https://nvd.nist.gov/vuln/detail/CVE-2014-3577]
>  Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with 
> an authenticating proxy server, sends the Proxy-Authorization header to the 
> origin server, which allows remote web servers to obtain sensitive 
> information by logging this header. [Snyk.io 
> details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646]
> [CVE-2015-5262|https://nvd.nist.gov/vuln/detail/CVE-2015-5262]
>  http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents 
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting 
> during an SSL handshake, which allows remote attackers to cause a denial of 
> service (HTTPS call hang) via unspecified vectors. [Snyk.io 
> details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30647]
> HTTPCLIENT-1803
>  Affected versions of the package are vulnerable to Directory Traversal, 
> which may allow access to sensitive files and data on the server. [Snyk.io 
> details|https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517]
> Discovered with [Snyk.io|https://snyk.io/] scan.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to