Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 07 Apr 2011 14:43:42 -0400
From: Chad Dougherty <crd@...t.org>
To: oss-security@...ts.openwall.com
CC: CERT Coordination Center <cert@...t.org>
Subject: Apache HttpClient CVE request  [VU#153049]

Hello all,

Per the Apache HttpClient 4.1.1 release notes:

<http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt>

"The HttpClient 4.1.1 is a bug fix release that addresses a number of 
issues reported since release 4.1, including one critical security issue 
(HTTPCLIENT-1061). All users of HttpClient 4.0.x and 4.1 are strongly 
encouraged to upgrade.
[...]
* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization 
header to be sent to the target host when tunneling requests through a 
proxy server that requires authentication.
   Contributed by Oleg Kalnichevski <olegk at apache.org>"

It doesn't look like this has received a CVE identifier and I didn't 
want to duplicate anyone by assigning one from our pool.  Could someone 
please assign one?

Thanks...

	-Chad

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.