You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2016/04/19 21:16:25 UTC

[jira] [Commented] (AXIS2-5761) Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2

    [ https://issues.apache.org/jira/browse/AXIS2-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15248448#comment-15248448 ] 

Andreas Veithen commented on AXIS2-5761:
----------------------------------------

I don't think we can just remove commons-httpclient 3.1. What we can do is to make the httpclient 4.x based transport the default and deprecate the commons-httpclient 3.1 based one. Maybe we can also move these two implementations to two different Maven modules, so that people switching to the httpclient 4.x based transport don't get the dependency on commons-httpclient 3.1. Note that all this would only be in scope for 1.8.0, not for a 1.7.x maintenance release.

> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2 
> ----------------------------------------------------------------------------
>
>                 Key: AXIS2-5761
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5761
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.7.0, 1.7.1
>            Reporter: Deepak
>
> Hi
> Request for removal of dependency of commons-httpclient 3.1 on Apache Axis2, as this version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> Additional information on these vulnerabilities can be found at these links:
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
> https://exchange.xforce.ibmcloud.com/vulnerabilities/95328
> http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html
> Dependency of commons-httpclient-3.1.jar should be upgraded to the newer GA versions available (https://hc.apache.org/downloads.cgi) 
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org