[jira] [Commented] (AXIS2-5761) Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2

Mon, 25 Apr 2016 13:53:05 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15257027#comment-15257027
 ] 

Deepak commented on AXIS2-5761:
-------------------------------

Hi

Thanks, with the latest changes, I could checkout the source from the trunk and 
could successfully build in my local environment. Now these are in the 1.8.0 
Snapshot, and as I believe the release of Axis2 1.8 is anytime soon. So to 
overcome the problem in the existing Axis2 1.7.x release, you suggested, "can 
be used in a secure way by configuring the HttpClient 4.x based transport and 
upgrading the HttpClient version". Can you please elaborate or point me to the 
suggested changes that are required to do this. Here I believe by specifying 
the configuration changes, you meant the pom file

Regds,
Deepak

> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2 
> ----------------------------------------------------------------------------
>
>                 Key: AXIS2-5761
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5761
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.7.0, 1.7.1
>            Reporter: Deepak
>             Fix For: 1.8.0
>
>
> Hi
> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2, 
> as this version of httpclient bundled in axis2-1.7.1 is exposed to to the 
> vulnerability CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in 
> Apache Commons HttpClient before 4.2.3" is vulnerability. 
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> Additional information on these vulnerabilities can be found at these links:
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95328
> http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html
> Dependency of commons-httpclient-3.1.jar should be upgraded to the newer GA 
> versions available (https://hc.apache.org/downloads.cgi) 
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to