-
Bug
-
Resolution: Fixed
-
Major
-
None
-
-
4.3.0
The library "org.apache.httpcomponents:httpclient" (4.0.1) included in google-compute-engine-plugin contains a vulnerability. Please update the plugin to use the https://github.com/jenkinsci/apache-httpcomponents-client-4-api-plugin.
It's currently included through google-http-client (pom.xml#L131-L135).
- CVE-2014-3577
- CVE-2011-1498
- CVE-2012-6153
Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:
- avoid security reports warning about that
- avoid future risky uses of the library that may exploit the vulnerability
If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/
Thank you.
by Ramón León
[JENKINS-61510] Outdated/vulnerable dependency (org.apache.httpcomponents:httpclient)
I believe it's fixed by the release of google-compute-engine 4.3.0 5 days ago.
evanbrown hi, do you have any idea when/whether your team could work on fixing this security issue? If not, we'd still be interested to know so possibly someone else can pick this up.
Thank you!