You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by Jean-Baptiste Onofre <jb...@nanthrax.net> on 2020/10/22 05:12:18 UTC

Re: Update apache-httpclient to 4.15.3 to address CVE-2020-13956

Thanks for the update. 

I will take a look on the PR shortly.

Regards
JB

> Le 21 oct. 2020 à 11:04, Pattan, Sachin <sachin.pattan@sap.com <ma...@sap.com>> a écrit :
> 
> Dear Colleagues, 
>  
> As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587 <https://bugzilla.redhat.com/show_bug.cgi?id=1886587>, http.client librarires below version 4.5.13 have the vulnerability CVE-2020-13956 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>).
>  
> As Karaf 4.2.x rebundles http.client (4.5.6) classes as seen at https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180 <https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180>. This makes it vulnerable and hence our security scans are detecting it as a vulnerable library. I created the the PR https://github.com/apache/karaf/pull/1243 <https://github.com/apache/karaf/pull/1243> to update httpclient.version to 4.5.13. Please take a look at it whenever it is possible and include it in the upcoming release of Karaf 4.2.x if it fits good.
>  
> Kind regards,
>  
>  
> 
> Sachin Pattan
> The Tools Team
> WDF07  X1.65