[ 
https://issues.apache.org/jira/browse/AXIS2-6018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Lazarski updated AXIS2-6018:
-----------------------------------
    Fix Version/s: 1.8.0

> Axis2 users of old Apache HTTPClient versions and CVE-2012-5785
> ---------------------------------------------------------------
>
>                 Key: AXIS2-6018
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6018
>             Project: Axis2
>          Issue Type: Improvement
>            Reporter: Robert Lazarski
>            Assignee: Robert Lazarski
>            Priority: Major
>             Fix For: 1.8.0
>
>
> This issue is to track an issue already fixed in Axis2 1.8.0; CVE-2012-5785 
> is not relevant because it discusses very old versions of Apache HTTPClient 
> from around 2012.
> [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf]
> From Axis2 1.8.0 on, we removed support for Apache HTTPClient 3.x completely.
> In the 1.7.x release series, removing Apache HTTPClient 3.x and running only 
> 4.x is possible as explained in AXIS2-5959 but anyways users should still 
> upgrade to Axis2 1.8.0.
> For Apache HTTPClient 4.x, the link above from 2012 describes problems fixed 
> many years ago. See CVE-2014-3577. 
> All users of Axis2 are encouraged to always run the latest Apache httpcore 
> and httpclient libs.
> The Axis2 1.8.0 release the past August 2021 included Apache httpclient 
> version 4.5.13 in our pom.xml and there have been no releases of Apache 
> httpclient since.
> Since Axis2 1.8.0, there was a release of Apache httpcore 4.4.15. Users are 
> encouraged to update their pom.xml to the latest version. The pom.xml in the 
> Axis2 master branch is up to date.
>  
>  
>  
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to