[jira] [Updated] (OOZIE-2538) Update HttpClient versions to close security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhishek Bafna updated OOZIE-2538: -- Attachment: OOZIE-2538-03.patch Thanks a lot [~rkanter] for the feedback. Updated the patch. > Update HttpClient versions to close security vulnerabilities > > > Key: OOZIE-2538 > URL: https://issues.apache.org/jira/browse/OOZIE-2538 > Project: Oozie > Issue Type: Bug > Components: core >Reporter: Abhishek Bafna >Assignee: Abhishek Bafna > Fix For: 4.3.0 > > Attachments: OOZIE-2538-01.patch, OOZIE-2538-02.patch, > OOZIE-2538-03.patch, OOZIE-2538.patch > > > We learned that > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > Also, Commons HttpClient project is now end of life, and is no longer being > developed. It has been replaced by the Apache HttpComponents project in its > HttpClient and HttpCore modules, which offer better performance and more > flexibility. http://hc.apache.org/httpclient-3.x/ > Hence, HttpClient version should be updated. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OOZIE-2538) Update HttpClient versions to close security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] abhishek bafna updated OOZIE-2538: -- Attachment: OOZIE-2538-01.patch > Update HttpClient versions to close security vulnerabilities > > > Key: OOZIE-2538 > URL: https://issues.apache.org/jira/browse/OOZIE-2538 > Project: Oozie > Issue Type: Bug > Components: core >Reporter: abhishek bafna >Assignee: abhishek bafna > Fix For: 4.3.0 > > Attachments: OOZIE-2538-01.patch, OOZIE-2538.patch > > > We learned that > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > Also, Commons HttpClient project is now end of life, and is no longer being > developed. It has been replaced by the Apache HttpComponents project in its > HttpClient and HttpCore modules, which offer better performance and more > flexibility. http://hc.apache.org/httpclient-3.x/ > Hence, HttpClient version should be updated. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OOZIE-2538) Update HttpClient versions to close security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] abhishek bafna updated OOZIE-2538: -- Fix Version/s: 4.3.0 > Update HttpClient versions to close security vulnerabilities > > > Key: OOZIE-2538 > URL: https://issues.apache.org/jira/browse/OOZIE-2538 > Project: Oozie > Issue Type: Bug > Components: core >Reporter: abhishek bafna >Assignee: abhishek bafna > Fix For: 4.3.0 > > Attachments: OOZIE-2538.patch > > > We learned that > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > Also, Commons HttpClient project is now end of life, and is no longer being > developed. It has been replaced by the Apache HttpComponents project in its > HttpClient and HttpCore modules, which offer better performance and more > flexibility. http://hc.apache.org/httpclient-3.x/ > Hence, HttpClient version should be updated. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OOZIE-2538) Update HttpClient versions to close security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] abhishek bafna updated OOZIE-2538: -- Attachment: OOZIE-2538.patch > Update HttpClient versions to close security vulnerabilities > > > Key: OOZIE-2538 > URL: https://issues.apache.org/jira/browse/OOZIE-2538 > Project: Oozie > Issue Type: Bug > Components: core >Reporter: abhishek bafna >Assignee: abhishek bafna > Attachments: OOZIE-2538.patch > > > We learned that > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > Also, Commons HttpClient project is now end of life, and is no longer being > developed. It has been replaced by the Apache HttpComponents project in its > HttpClient and HttpCore modules, which offer better performance and more > flexibility. http://hc.apache.org/httpclient-3.x/ > Hence, HttpClient version should be updated. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
