[ https://issues.apache.org/jira/browse/OFBIZ-6755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-6755: ----------------------------------- Description: The passport component uses commons-httpclient-3.1. This librairies is not only deprecated but also faces a number of vulnerabilties: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 The solution is to update to httpclient/core-4.4.1 that we have already in base/lib was: The passport component uses commons-httpclient-3.1. This librairies is not only deprecated but also faces a number of vulnerabilties: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 The solution is to update to httpclient-4.5.1 + httpcore-4.4.3 instead Note that we need to keep commons-httpclient-3.1 because it's needed by Axis2-1.6.3 which is the latest Axis2 release :/. I got this test error when removed from service/lib: {code} RPC service error (org/apache/commons/httpclient/HttpException) org.ofbiz.service.GenericServiceException: RPC service error (org/apache/commons/httpclient/HttpException) at org.ofbiz.service.engine.SOAPClientEngine.serviceInvoker(SOAPClientEngine.java:94) at org.ofbiz.service.engine.SOAPClientEngine.runSync(SOAPClientEngine.java:71) at org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:395) at org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227) at org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) at org.ofbiz.service.test.ServiceSOAPTests.testSOAPService(ServiceSOAPTests.java:54) at org.ofbiz.testtools.TestRunContainer.start(TestRunContainer.java:146) at org.ofbiz.base.container.ContainerLoader.start(ContainerLoader.java:237) at org.ofbiz.base.start.Start.startStartLoaders(Start.java:408) at org.ofbiz.base.start.Start.start(Start.java:434) at org.ofbiz.base.start.Start.main(Start.java:135) Caused by: org.apache.axis2.deployment.DeploymentException: org/apache/commons/httpclient/HttpException at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:699) at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:123) at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:857) at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:116) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210) at org.apache.axis2.client.ServiceClient.configureServiceClient(ServiceClient.java:151) at org.apache.axis2.client.ServiceClient.<init>(ServiceClient.java:144) at org.apache.axis2.client.ServiceClient.<init>(ServiceClient.java:251) at org.ofbiz.service.engine.SOAPClientEngine.serviceInvoker(SOAPClientEngine.java:88) Caused by: java.lang.NoClassDefFoundError: org/apache/commons/httpclient/HttpException at java.lang.Class.getDeclaredConstructors0(Native Method) at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671) at java.lang.Class.getConstructor0(Class.java:3075) at java.lang.Class.newInstance(Class.java:412) at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:684) Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpException at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) {code} > Update the passport component to use httpclient/core-4.4.1 instead of > commons-httpclient-3.1 > -------------------------------------------------------------------------------------------- > > Key: OFBIZ-6755 > URL: https://issues.apache.org/jira/browse/OFBIZ-6755 > Project: OFBiz > Issue Type: Sub-task > Components: specialpurpose/passport > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Shi Jinghai > Fix For: Upcoming Branch > > > The passport component uses commons-httpclient-3.1. This librairies is not > only deprecated but also faces a number of vulnerabilties: > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > The solution is to update to httpclient/core-4.4.1 that we have already in > base/lib -- This message was sent by Atlassian JIRA (v6.3.4#6332)