[jira] [Commented] (AXIS2-5761) Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2

Tue, 19 Apr 2016 12:17:37 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15248448#comment-15248448
 ] 

Andreas Veithen commented on AXIS2-5761:
----------------------------------------

I don't think we can just remove commons-httpclient 3.1. What we can do is to 
make the httpclient 4.x based transport the default and deprecate the 
commons-httpclient 3.1 based one. Maybe we can also move these two 
implementations to two different Maven modules, so that people switching to the 
httpclient 4.x based transport don't get the dependency on commons-httpclient 
3.1. Note that all this would only be in scope for 1.8.0, not for a 1.7.x 
maintenance release.

> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2 
> ----------------------------------------------------------------------------
>
>                 Key: AXIS2-5761
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5761
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.7.0, 1.7.1
>            Reporter: Deepak
>
> Hi
> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2, 
> as this version of httpclient bundled in axis2-1.7.1 is exposed to to the 
> vulnerability CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in 
> Apache Commons HttpClient before 4.2.3" is vulnerability. 
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> Additional information on these vulnerabilities can be found at these links:
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95328
> http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html
> Dependency of commons-httpclient-3.1.jar should be upgraded to the newer GA 
> versions available (https://hc.apache.org/downloads.cgi) 
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to