[
https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298830#comment-15298830
]
Andreas Veithen commented on AXIS2-5757:
----------------------------------------
HTTPClient 4.3.x is not fully backwards compatible with 4.2.x and upgrading
will require code changes in Axis2 to make it compatible. Since Axis2 is an
Open Source project run by volunteers, no timeline can be given. Note that
patches are always welcome.
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5757
> URL: https://issues.apache.org/jira/browse/AXIS2-5757
> Project: Axis2
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
> Environment: Axis2 used as a Web Service Provider for an application
> Reporter: Deepak
> Labels: httpclient
> Fix For: 1.7.2
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1 is
> susceptible to CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in
> Apache Commons HttpClient before 4.2.3" is vulnerability.
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed
> in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would
> that be. Reason for this query is our application uses Axis2 and and hence
> exposed to this vulnerability.
> Thanks,
> Regds,
> Deepak
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
