You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hc.apache.org by ol...@apache.org on 2017/05/23 07:38:45 UTC

svn commit: r19770 - /release/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt

Author: olegk
Date: Tue May 23 07:38:45 2017
New Revision: 19770

Log:
Added reference to CVE-2013-4366

Modified:
    release/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt

Modified: release/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
==============================================================================
--- release/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt (original)
+++ release/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt Tue May 23 07:38:45 2017
@@ -186,7 +186,8 @@ Changelog
   *.co.<countrycode>, *.gov.<countrycode>, *.info.<countrycode>, etc as invalid.
   Contributed by Oleg Kalnichevski <olegk at apache.org>
 
-* Ensure X509HostnameVerifier is never null.
+* [CVE-2013-4366] Hostname verification in 4.3 was disabled by default. 
+  Ensure X509HostnameVerifier is never null.
   Contributed by Oleg Kalnichevski <olegk at apache.org>
 
 * [HTTPCLIENT-1405] CONNECT HTTP/1.1 requests lack mandatory 'Host' header.