Control: tag -1 + security patch (this is not about commons-httpclient but about httpcomponents-client)
On Fri, 11 Sep 2015, Guido Günther wrote: > > Note that according to HTTPCLIENT-1478  this was completely fixed in > > the version 4.3.6. So if this is really a security issue the > > httpcomponents-client package in stable and oldstable is also affected. > > I do think so but I haven't checked yet and [...] > claim that it's not yet reproduced for httpcomponents-client 4.2.x > that's why I didn't file a but for httpcomponents-client yet until > this is investigated further. I did look into the source code and it looks like that this was a regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and likely sid) seem to be fine. Coming back to commons-httpclient: RedHat produced a patch here: https://bugzilla.redhat.com/attachment.cgi?id=1072467&action=diff Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892 BTW, would it not be possible to get rid of commons-httpclient if it has been obsoleted by httpcomponents-client ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.