On Thu, 2015-11-05 at 13:12 +0100, Aki Yoshida wrote: > Hi, > I have a question about CVE-2015-5262 [1] which talks about an issue > regarding Httpclient before version 4.3.6. The referred jira ticket > HTTPCLIENT-1478 [2] from there mentions that this issue has been fixed > in 4.3.4. > > > Could someone clarify the situation? Is there indeed an issue with > 4.3.4 and 4.3.5 which is for security reasons not publicly linked from > the above CVE or if there is an error in either of the documents? >
No, there is not. HTTPCLIENT-1478 affected deprecated code only. It did not affect productive code to start with. CVE-2015-5262 should have never been raised in the first place but some people think being credited as a reporter of CVE entry is cool. Oleg > Regards, Aki > [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 > [2] https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org