[ https://issues.apache.org/jira/browse/AXIS2-6018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Lazarski updated AXIS2-6018: ----------------------------------- Fix Version/s: 1.8.0 > Axis2 users of old Apache HTTPClient versions and CVE-2012-5785 > --------------------------------------------------------------- > > Key: AXIS2-6018 > URL: https://issues.apache.org/jira/browse/AXIS2-6018 > Project: Axis2 > Issue Type: Improvement > Reporter: Robert Lazarski > Assignee: Robert Lazarski > Priority: Major > Fix For: 1.8.0 > > > This issue is to track an issue already fixed in Axis2 1.8.0; CVE-2012-5785 > is not relevant because it discusses very old versions of Apache HTTPClient > from around 2012. > [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf] > From Axis2 1.8.0 on, we removed support for Apache HTTPClient 3.x completely. > In the 1.7.x release series, removing Apache HTTPClient 3.x and running only > 4.x is possible as explained in AXIS2-5959 but anyways users should still > upgrade to Axis2 1.8.0. > For Apache HTTPClient 4.x, the link above from 2012 describes problems fixed > many years ago. See CVE-2014-3577. > All users of Axis2 are encouraged to always run the latest Apache httpcore > and httpclient libs. > The Axis2 1.8.0 release the past August 2021 included Apache httpclient > version 4.5.13 in our pom.xml and there have been no releases of Apache > httpclient since. > Since Axis2 1.8.0, there was a release of Apache httpcore 4.4.15. Users are > encouraged to update their pom.xml to the latest version. The pom.xml in the > Axis2 master branch is up to date. > > > > > > > -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org