exploitDog

SUSE-SU-2024:4036-1

Опубликовано: 18 нояб. 2024

Источник: suse-cvrf

Описание

Security update for httpcomponents-client, httpcomponents-core

This update for httpcomponents-client, httpcomponents-core fixes the following issues:

httpcomponents-client:

Update to version 4.5.14
- HTTPCLIENT-2206: Corrected resource de-allocation by fluent response objects.
- HTTPCLIENT-2174: URIBuilder to return a new empty list instead of unmodifiable Collections#emptyList.
- Don't retry requests in case of NoRouteToHostException.
- HTTPCLIENT-2144: RequestBuilder fails to correctly copy charset of requests with form url-encoded body.
- PR #269: 4.5.x use array fill and more.
  - Use Arrays.fill().
  - Remove redundant modifiers.
  - Use Collections.addAll() and Collection.addAll() APIs instead of loops.
  - Remove redundant returns.
  - No need to explicitly declare an array when calling a vararg method.
  - Remote extra semicolons (;).
  - Use a 'L' instead of 'l' to make long literals more readable.
- PublicSuffixListParser.parseByType(Reader) allocates but does not use a 256 char StringBuilder.
- Incorrect handling of malformed authority component by URIUtils#extractHost (bsc#1177488, CVE-2020-13956).
- Avoid updating Content-Length header in a 304 response.
- Bug fix: BasicExpiresHandler is annotated as immutable but is not (#239)
- HTTPCLIENT-2076: Fixed NPE in LaxExpiresHandler.

httpcomponents-core:

Upgraded to version 4.4.14
- PR #231: 4.4.x Use better map apis and more.
  - Remove redundant modifiers.
  - Use Collections.addAll() API instead of loops.
  - Remove redundant returns.
  - No need to explicitly declare an array when calling a vararg method.
  - Remote extra semicolons (;).
- Bug fix: Non-blocking TLSv1.3 connections can end up in an infinite event spin when closed concurrently by the local and the remote endpoints.
- HTTPCORE-647: Non-blocking connection terminated due to 'java.io.IOException: Broken pipe' can enter an infinite loop flushing buffered output data.
- PR #201, HTTPCORE-634: Fix race condition in AbstractConnPool that can cause internal state corruption when persistent connections are manually removed from the pool.

Список пакетов

Container bci/openjdk-devel:11

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Container bci/openjdk-devel:17

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Container bci/openjdk-devel:latest

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Container containers/apache-pulsar:3.3

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Container suse/manager/5.0/x86_64/server:latest

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-Azure-llc

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-Azure-ltd

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-BYOS

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

Image server-image

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

SUSE Linux Enterprise Module for Development Tools 15 SP5

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

SUSE Linux Enterprise Module for Development Tools 15 SP6

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

SUSE Manager Server Module 4.3

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

openSUSE Leap 15.5

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-client-cache-4.5.14-150200.3.9.1

httpcomponents-client-javadoc-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

httpcomponents-core-javadoc-4.4.14-150200.3.9.1

openSUSE Leap 15.6

httpcomponents-client-4.5.14-150200.3.9.1

httpcomponents-client-cache-4.5.14-150200.3.9.1

httpcomponents-client-javadoc-4.5.14-150200.3.9.1

httpcomponents-core-4.4.14-150200.3.9.1

httpcomponents-core-javadoc-4.4.14-150200.3.9.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20244036-1/
Link for SUSE-SU-2024:4036-1
https://lists.suse.com/pipermail/sle-security-updates/2024-November/019823.html
E-Mail link for SUSE-SU-2024:4036-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1177488
SUSE Bug 1177488
https://www.suse.com/security/cve/CVE-2020-13956/
SUSE CVE CVE-2020-13956 page

Описание

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Затронутые продукты

Container bci/openjdk-devel:11:httpcomponents-client-4.5.14-150200.3.9.1

Container bci/openjdk-devel:11:httpcomponents-core-4.4.14-150200.3.9.1

Container bci/openjdk-devel:17:httpcomponents-client-4.5.14-150200.3.9.1

Container bci/openjdk-devel:17:httpcomponents-core-4.4.14-150200.3.9.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-13956.html
CVE-2020-13956
https://bugzilla.suse.com/1177488
SUSE Bug 1177488

Уязвимость SUSE-SU-2024:4036-1