From ${URL} : It was discovered that Apache HttpClient did not apply a configured connection or read timeout during the initial handshake of an HTTPS connection. As a result, HTTPS connection could get stuck, causing a denial of service if multiple such connections accumulate. Upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
According to https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=14378223&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14378223, this only affects httpclient version 4.3.6 and below. We package version 4.5, hence this CVE doesn't affect us. BEWARE: commons-httpclient/httpcore and httpcomponents-client/core are two different projects. The former has been put into the Attic by the ASF (and we should actually look into removing it). See the bottom of this page [1]. Whereas the latter is the continuum of the same project and has been renamed to avoid confusion. @Security This bug doesn't affect our ebuilds so you can safely close it. [1] http://hc.apache.org/
Marking as INVALID as per Mikle Kolyada's approval on IRC.
