You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2021/06/04 07:35:12 UTC

[GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956

luocooong opened a new pull request #2250:
URL: https://github.com/apache/drill/pull/2250


   # [DRILL-7946](https://issues.apache.org/jira/browse/DRILL-7946): Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956
   
   ## Description
   
   CVE-2020-13956
   
   Vulnerable versions: < 4.5.13
   Patched version: 4.5.13
   
   Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
   
   ## Documentation
   N/A
   
   ## Testing
   Waiting for the unit tests passed.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956

Posted by GitBox <gi...@apache.org>.

laurentgo merged pull request #2250:
URL: https://github.com/apache/drill/pull/2250


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956

Posted by GitBox <gi...@apache.org>.

luocooong commented on pull request #2250:
URL: https://github.com/apache/drill/pull/2250#issuecomment-855021048


   @cgivre Great. Thanks for your suggestion! I almost forgot the `okhttp` library.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956

Posted by GitBox <gi...@apache.org>.

cgivre commented on pull request #2250:
URL: https://github.com/apache/drill/pull/2250#issuecomment-854913769


   @luocooong 
   Thanks for this PR.  I'm fine with merging this as is, but in the future would we want to consider migrating to `okhttp`? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org