You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by robertlazarski <ro...@gmail.com> on 2021/12/21 03:00:31 UTC

[axis2] For users before 1.8.0, old Apache HTTPClient versions and CVE-2012-5785

See AXIS2-6018, for users of Axis2 1.8.0 there is no issue.

For users of 1.7.x who have upgraded to Apache HTTPClient 4.x as described
in AXIS2-5959 and are using a recent version of Apache HTTPClient
unaffected by CVE-2014-3577 from 2014 there is no issue.

All users are always encouraged to upgrade their Apache HTTPClient jars to
the latest version. Apache httpclient has had no releases since Axis2 1.8.0
was released however Apache httpcore has had a recent release. Jar updates
can be done by these pom.xml updates:

                 <dependency>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpclient</artifactId>
                    <version>4.5.13</version>
                </dependency>
                <dependency>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpcore</artifactId>
                    <version>4.4.15</version>
                </dependency>

Users can always build from source to get the latest jars:

git clone https://github.com/apache/axis-axis2-java-core.git

Regards,
Robert