[jira] [Updated] (OFBIZ-6755) Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1

Fri, 11 Mar 2016 04:52:56 -0800 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-6755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-6755:
-----------------------------------
    Description: 
The passport component uses commons-httpclient-3.1. This librairies is not only 
deprecated but also faces a number of vulnerabilties:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153

The solution is to update to httpclient/core-4.4.1 that we have already in 
base/lib


  was:
The passport component uses commons-httpclient-3.1. This librairies is not only 
deprecated but also faces a number of vulnerabilties:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153

The solution is to update to httpclient-4.5.1 + httpcore-4.4.3 instead

Note that we need to keep commons-httpclient-3.1 because it's needed by 
Axis2-1.6.3 which is the latest Axis2 release :/. I got this test error when 
removed from service/lib:
{code}
RPC service error (org/apache/commons/httpclient/HttpException)

org.ofbiz.service.GenericServiceException: RPC service error 
(org/apache/commons/httpclient/HttpException)
at 
org.ofbiz.service.engine.SOAPClientEngine.serviceInvoker(SOAPClientEngine.java:94)
at org.ofbiz.service.engine.SOAPClientEngine.runSync(SOAPClientEngine.java:71)
at org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:395)
at org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227)
at 
org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88)
at 
org.ofbiz.service.test.ServiceSOAPTests.testSOAPService(ServiceSOAPTests.java:54)
at org.ofbiz.testtools.TestRunContainer.start(TestRunContainer.java:146)
at org.ofbiz.base.container.ContainerLoader.start(ContainerLoader.java:237)
at org.ofbiz.base.start.Start.startStartLoaders(Start.java:408)
at org.ofbiz.base.start.Start.start(Start.java:434)
at org.ofbiz.base.start.Start.main(Start.java:135)
Caused by: org.apache.axis2.deployment.DeploymentException: 
org/apache/commons/httpclient/HttpException
at 
org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:699)
at 
org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:123)
at 
org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:857)
at 
org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:116)
at 
org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64)
at 
org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210)
at 
org.apache.axis2.client.ServiceClient.configureServiceClient(ServiceClient.java:151)
at org.apache.axis2.client.ServiceClient.<init>(ServiceClient.java:144)
at org.apache.axis2.client.ServiceClient.<init>(ServiceClient.java:251)
at 
org.ofbiz.service.engine.SOAPClientEngine.serviceInvoker(SOAPClientEngine.java:88)
Caused by: java.lang.NoClassDefFoundError: 
org/apache/commons/httpclient/HttpException
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671)
at java.lang.Class.getConstructor0(Class.java:3075)
at java.lang.Class.newInstance(Class.java:412)
at 
org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:684)
Caused by: java.lang.ClassNotFoundException: 
org.apache.commons.httpclient.HttpException
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
{code}


> Update the passport component to use httpclient/core-4.4.1 instead of 
> commons-httpclient-3.1
> --------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-6755
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6755
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: specialpurpose/passport
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Shi Jinghai
>             Fix For: Upcoming Branch
>
>
> The passport component uses commons-httpclient-3.1. This librairies is not 
> only deprecated but also faces a number of vulnerabilties:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> The solution is to update to httpclient/core-4.4.1 that we have already in 
> base/lib



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to