search

Ecwid / consul-api

Java client for Consul HTTP API
Apache License 2.0
416 stars 177 forks source link

CVE-2020-13956 Upgrade HttpClient and HttpCore #211

Open zwscn2014 opened 3 years ago

zwscn2014 commented 3 years ago

Hi. It's been reported at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 that Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Can you please upgrade HttpClient to 4.5.13 at https://github.com/Ecwid/consul-api/blob/master/build.gradle#L15 ? Also as a compile dependency, please upgrade HttpCore to 4.4.13 at https://github.com/Ecwid/consul-api/blob/master/build.gradle#L14.

anton-zen commented 2 years ago

Is there an ETA on this?

anton-zen commented 2 years ago

There's an existing PR https://github.com/Ecwid/consul-api/pull/221

yeroc commented 2 years ago

Any chance of this getting merged and a new release built?