[
https://issues.apache.org/jira/browse/AXIS2-6018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated AXIS2-6018:
-----------------------------------
Fix Version/s: 1.8.0
> Axis2 users of old Apache HTTPClient versions and CVE-2012-5785
> ---------------------------------------------------------------
>
> Key: AXIS2-6018
> URL: https://issues.apache.org/jira/browse/AXIS2-6018
> Project: Axis2
> Issue Type: Improvement
> Reporter: Robert Lazarski
> Assignee: Robert Lazarski
> Priority: Major
> Fix For: 1.8.0
>
>
> This issue is to track an issue already fixed in Axis2 1.8.0; CVE-2012-5785
> is not relevant because it discusses very old versions of Apache HTTPClient
> from around 2012.
> [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf]
> From Axis2 1.8.0 on, we removed support for Apache HTTPClient 3.x completely.
> In the 1.7.x release series, removing Apache HTTPClient 3.x and running only
> 4.x is possible as explained in AXIS2-5959 but anyways users should still
> upgrade to Axis2 1.8.0.
> For Apache HTTPClient 4.x, the link above from 2012 describes problems fixed
> many years ago. See CVE-2014-3577.
> All users of Axis2 are encouraged to always run the latest Apache httpcore
> and httpclient libs.
> The Axis2 1.8.0 release the past August 2021 included Apache httpclient
> version 4.5.13 in our pom.xml and there have been no releases of Apache
> httpclient since.
> Since Axis2 1.8.0, there was a release of Apache httpcore 4.4.15. Users are
> encouraged to update their pom.xml to the latest version. The pom.xml in the
> Axis2 master branch is up to date.
>
>
>
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
