Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-5759

Upgrade HTTPCore and HTTPClient into latest versions

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 1.7.0, 1.7.1
    • None
    • transports
    • None

    Description

      Axis2 1.7.0 and 1.7.1 ship with vulnerable versions of httpclient-4.2.1.jar and commons-httpclient-3.1.jar:

      CVE-2014-3577 (affected products include Apache HttpClient 4.2.1):
      https://exchange.xforce.ibmcloud.com/vulnerabilities/95327?cm_mc_uid=07675441652414567688362&cm_mc_sid_50200000=1460556797

      CVE-2012-6153 (affected products include Apache HttpClient 4.2.1 and Apache HttpClient 3.1):
      https://exchange.xforce.ibmcloud.com/vulnerabilities/95328?cm_mc_uid=07675441652414567688362&cm_mc_sid_50200000=1460556797

      Additional information on these vulnerabilities can be found at this link:
      http://archives.neohapsis.com/archives/bugtraq/2014-08/0089.html

      httpcore-4.2.1.jar and httpclient-4.2.1.jar should be upgraded to the newer GA versions available (https://hc.apache.org/downloads.cgi) and commons-httpclient-3.1.jar should be removed if possible.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            mceli Miriam Celi
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment