Hi, On Fri, Sep 11, 2015 at 04:20:42PM +0200, Emmanuel Bourg wrote: > Le 11/09/2015 15:12, Guido Günther a écrit : > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892 > > Thank you for the report Guido. A hanging connection is certainly > annoying but I fail to understand why it's flagged as a security > vulnerability.
Since a malicious server can starve client connections _although_ the client took countermeasures to prevent this (by setting a timeout). > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in > the version 4.3.6. So if this is really a security issue the > httpcomponents-client package in stable and oldstable is also affected. I do think so but I haven't checked yet and https://bugzilla.redhat.com/show_bug.cgi?id=1261538 as well as https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=13926162&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13926162 claim that it's not yet reproduced for httpcomponents-client 4.2.x that's why I didn't file a but for httpcomponents-client yet until this is investigated further. Cheers, -- Guido __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
