Bug 58514 - jmeter depends on obsolete commons-httpclient library
Summary: jmeter depends on obsolete commons-httpclient library
Status: RESOLVED WONTFIX
Alias: None
Product: JMeter - Now in Github
Classification: Unclassified
Component: Main (show other bugs)
Version: 2.11
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-21 15:08 UTC by Markus Koschany
Modified: 2015-10-21 20:27 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Koschany 2015-10-21 15:08:57 UTC
jmeter depends on commons-httpclient. https://hc.apache.org/httpclient-3.x/

This library has reached EOL status four years ago and was replaced by Apache httpcomponents-client:

https://hc.apache.org/httpcomponents-client-ga/index.html

commons-httpclient was affected by multiple security issues in the past but is no longer supported by its upstream developers. This makes it difficult for Linux distributions to provide any support for applications and libraries which still depend on commons-httpclient.

Please consider to make the switch to httpcomponents-client
Comment 1 Sebb 2015-10-21 16:31:28 UTC
JMeter already uses httpcomponents-client; just make sure you use the appropriate HTTP implementation.
Comment 2 Milamber 2015-10-21 20:19:15 UTC
@sebb I not sure that the issue was an incorrect choice of the HTTP request implementation. I thinks that is to create a jmeter package for a Linux distribution, the maintainer must add dependencies of the HC3.x because JMeter offer the possibility to use HC3 HTTP request implementation.

For example Debian :
https://packages.debian.org/jessie/jmeter
https://packages.debian.org/jessie/libcommons-httpclient-java

One minor security issue for HC (3/4)
https://security-tracker.debian.org/tracker/source-package/commons-httpclient
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5262
Comment 3 Markus Koschany 2015-10-21 20:27:29 UTC
I'm a member of the Debian Java team and we maintain jmeter for Debian. I have reported this bug because we cannot build jmeter without build-depending on commons-httpclient. However we would like to remove commons-httpclient from Debian because it is unmaintained and its upstream developer strongly recommends to switch to httpcomponents-client. Since commons-httpclient was affected by multiple security vulnerabilities in the recent past, we would like to reduce the maintenance burden.

We would prefer that jmeter no longer requires to build-depend on commons-httpclient.
Comment 4 The ASF infrastructure team 2022-09-24 20:38:00 UTC
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/3682