The update has been already merged ;) Thanks Regards JB
> Le 21 oct. 2020 à 11:04, Pattan, Sachin <sachin.pat...@sap.com> a écrit : > > Dear Colleagues, > > As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587 > <https://bugzilla.redhat.com/show_bug.cgi?id=1886587>, http.client librarires > below version 4.5.13 have the vulnerability CVE-2020-13956 > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>). > > As Karaf 4.2.x rebundles http.client (4.5.6) classes as seen at > https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180 > <https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180>. > This makes it vulnerable and hence our security scans are detecting it as a > vulnerable library. I created the the PR > https://github.com/apache/karaf/pull/1243 > <https://github.com/apache/karaf/pull/1243> to update httpclient.version to > 4.5.13. Please take a look at it whenever it is possible and include it in > the upcoming release of Karaf 4.2.x if it fits good. > > Kind regards, > > > > Sachin Pattan > The Tools Team > WDF07 X1.65
