Description: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74381de068c890ea97defeeae91ee47f0233f415 commit 74381de068c890ea97defeeae91ee47f0233f415 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-06-08 18:25:02 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-07-10 11:01:10 +0000 dev-java/commons-httpclient: bump to 4.5.13 Bug: https://bugs.gentoo.org/758302 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/21197/commits/282b2f490a05b41948ba1b53c856a60c7db58e03 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-httpclient/Manifest | 1 + .../commons-httpclient-4.5.13.ebuild | 73 ++++++++++++++++++++++ 2 files changed, 74 insertions(+)
Thank you! Please stable when ready
Sanity check failed: > dev-java/commons-httpclient-4.5.13 > depend amd64 dev profile default/linux/amd64/17.0/x32 (6 total) > dev-java/httpcore:0 > depend amd64 stable profile default/linux/amd64/17.1 (35 total) > dev-java/httpcore:0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (6 total) > dev-java/httpcore:0 > rdepend amd64 stable profile default/linux/amd64/17.1 (35 total) > dev-java/httpcore:0
Unable to check for sanity: > no match for package: dev-java/commons-httpclient-4.5.13
it can go stable, but we still have deps on the old version (3.1-r2 atm).
Sanity check failed: > dev-java/commons-httpclient-4.5.13-r1 > depend amd64 dev profile default/linux/amd64/17.0/x32 (6 total) > dev-java/httpcore:0 > depend amd64 stable profile default/linux/amd64/17.1 (35 total) > dev-java/httpcore:0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (6 total) > dev-java/httpcore:0 > rdepend amd64 stable profile default/linux/amd64/17.1 (35 total) > dev-java/httpcore:0
x86 done
amd64 done
ppc64 done all arches done
This bug report is assigned to the wrong package. In https://archive.apache.org/dist/httpcomponents/ there are * commons-httpclient * httpclient The CVE mentioned in #c0 is about 'httpclient', not about the other. dev-java/commons-httpclient-3.1:3 is not affected.
Adjusting summary.
Keywords are not fully specified and arches are not CC-ed for the following packages: - =dev-java/commons-httpclient-4.5.13-r1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18d1aae66cb6aebbe9c278c43330ba6f16ee984 commit d18d1aae66cb6aebbe9c278c43330ba6f16ee984 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-01-08 17:44:20 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-02-20 18:03:26 +0000 dev-java/httpcomponents-client: New package Split from dev-java/commons-httpclient Bug: https://bugs.gentoo.org/758302 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-java/httpcomponents-client/Manifest | 1 + .../httpcomponents-client-4.5.13-r1.ebuild | 74 ++++++++++++++++++++++ dev-java/httpcomponents-client/metadata.xml | 10 +++ 3 files changed, 85 insertions(+)
(In reply to Volkmar W. Pogatzki from comment #10) > This bug report is assigned to the wrong package. > > In https://archive.apache.org/dist/httpcomponents/ there are > * commons-httpclient > * httpclient > > The CVE mentioned in #c0 is about 'httpclient', not about the other. > dev-java/commons-httpclient-3.1:3 is not affected. Closing as invalid, thanks!
