Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httpclient 4.5.13 #2074

Merged
merged 8 commits into from
Aug 16, 2021
Merged

httpclient 4.5.13 #2074

merged 8 commits into from
Aug 16, 2021

Conversation

wcekan
Copy link
Contributor

@wcekan wcekan commented May 6, 2021

Description

Avoid CVE-2020-13956

httpclient-4.5.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.5.3, cpe:2.3:a:apache:httpclient:4.5.3:*:*:*:*:*:*:*) : CVE-2020-13956

Motivation and Context

Security

How Has This Been Tested?

Unit testing

License

I confirm that this contribution is made under an Apache 2.0 license and that I have the authority necessary to make this contribution on behalf of its copyright owner.

aklish
aklish reviewed May 6, 2021
View reviewed changes
elide-datastore/elide-datastore-aggregation/pom.xml
@@ -104,6 +104,12 @@
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.httpcomponents</groupId>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What requires this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

avatica-core

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed scope to runtime to match the dependencies of calcite

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use calcite to make HTTP connections though. Is there any reason we can't simply exclude it?

Copy link
Contributor Author

@wcekan wcekan May 6, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. If we mention calcite without any mention of httpclient the downstream will pull in the calcite old version of httpclient. They have the option to exclude it, but sadly maven does not let us exclude on their behalf.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a comment:

Avoid CVE-2020-13956

aklish
aklish requested changes May 6, 2021
View reviewed changes
elide-datastore/elide-datastore-aggregation/pom.xml
@@ -104,6 +104,12 @@
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.httpcomponents</groupId>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a comment:

Avoid CVE-2020-13956

@aklish aklish merged commit debf5ca into master Aug 16, 2021
@aklish aklish deleted the bump-httpclient branch August 16, 2021 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aklish aklish aklish approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wcekan @aklish