Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake
Emmanuel Bourg
ebourg at apache.org
Fri Sep 11 14:20:42 UTC 2015
Le 11/09/2015 15:12, Guido Günther a écrit :
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892
Thank you for the report Guido. A hanging connection is certainly
annoying but I fail to understand why it's flagged as a security
vulnerability.
Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
the version 4.3.6. So if this is really a security issue the
httpcomponents-client package in stable and oldstable is also affected.
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1478
More information about the pkg-java-maintainers
mailing list