You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Abhishek Bafna (JIRA)" <ji...@apache.org> on 2016/09/16 13:57:21 UTC
[jira] [Updated] (OOZIE-2538) Update HttpClient versions to close
security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Abhishek Bafna updated OOZIE-2538:
----------------------------------
Attachment: OOZIE-2538-02.patch
Thanks [~rkanter] for the review.
Removed the version {{httpclient.version}} for {{httpclient}} dependency as it will be coming from main pom.
{{httpcore.version}} version property is defined in the main pom and used in the {{webapp}} pom.xml. The {{httpcore}} dependency is used only once i.e. {{webapp}} module.
> Update HttpClient versions to close security vulnerabilities
> ------------------------------------------------------------
>
> Key: OOZIE-2538
> URL: https://issues.apache.org/jira/browse/OOZIE-2538
> Project: Oozie
> Issue Type: Bug
> Components: core
> Reporter: Abhishek Bafna
> Assignee: Abhishek Bafna
> Fix For: 4.3.0
>
> Attachments: OOZIE-2538-01.patch, OOZIE-2538-02.patch, OOZIE-2538.patch
>
>
> We learned that
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
> Also, Commons HttpClient project is now end of life, and is no longer being developed. It has been replaced by the Apache HttpComponents project in its HttpClient and HttpCore modules, which offer better performance and more flexibility. http://hc.apache.org/httpclient-3.x/
> Hence, HttpClient version should be updated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)