abhishek bafna created OOZIE-2538:
-------------------------------------
Summary: Update HttpClient versions to close security
vulnerabilities
Key: OOZIE-2538
URL: https://issues.apache.org/jira/browse/OOZIE-2538
Project: Oozie
Issue Type: Bug
Components: core
Reporter: abhishek bafna
Assignee: abhishek bafna
We learned that
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 :
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting
during an SSL handshake, which allows remote attackers to cause a denial of
service (HTTPS call hang) via unspecified vectors.
Also, Commons HttpClient project is now end of life, and is no longer being
developed. It has been replaced by the Apache HttpComponents project in its
HttpClient and HttpCore modules, which offer better performance and more
flexibility. http://hc.apache.org/httpclient-3.x/
Hence, HttpClient version should be updated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
