<div class="container">
<h1>Security update for httpcomponents-client, httpcomponents-core</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:4036-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2024-11-18T15:24:16Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1177488">bsc#1177488</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-13956.html">CVE-2020-13956</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-13956</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-13956</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP5</li>
<li class="list-group-item">Development Tools Module 15-SP6</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3 Module 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for httpcomponents-client, httpcomponents-core fixes the following issues:</p>
<p>httpcomponents-client:
- Update to version 4.5.14
* HTTPCLIENT-2206: Corrected resource de-allocation by fluent
response objects.
* HTTPCLIENT-2174: URIBuilder to return a new empty list instead
of unmodifiable Collections#emptyList.
* Don't retry requests in case of NoRouteToHostException.
* HTTPCLIENT-2144: RequestBuilder fails to correctly copy charset
of requests with form url-encoded body.
* PR #269: 4.5.x use array fill and more.
+ Use Arrays.fill().
+ Remove redundant modifiers.
+ Use Collections.addAll() and Collection.addAll() APIs instead of loops.
+ Remove redundant returns.
+ No need to explicitly declare an array when calling a vararg method.
+ Remote extra semicolons (;).
+ Use a 'L' instead of 'l' to make long literals more readable.
* PublicSuffixListParser.parseByType(Reader) allocates but does
not use a 256 char StringBuilder.
* Incorrect handling of malformed authority component by
URIUtils#extractHost (bsc#1177488, CVE-2020-13956).
* Avoid updating Content-Length header in a 304 response.
* Bug fix: BasicExpiresHandler is annotated as immutable but is
not (#239)
* HTTPCLIENT-2076: Fixed NPE in LaxExpiresHandler.</p>
<p>httpcomponents-core:
- Upgraded to version 4.4.14
* PR #231: 4.4.x Use better map apis and more.
+ Remove redundant modifiers.
+ Use Collections.addAll() API instead of loops.
+ Remove redundant returns.
+ No need to explicitly declare an array when calling a vararg method.
+ Remote extra semicolons (;).
* Bug fix: Non-blocking TLSv1.3 connections can end up in an
infinite event spin when closed concurrently by the local and
the remote endpoints.
* HTTPCORE-647: Non-blocking connection terminated due to
'java.io.IOException: Broken pipe' can enter an infinite loop
flushing buffered output data.
* PR #201, HTTPCORE-634: Fix race condition in AbstractConnPool
that can cause internal state corruption when persistent
connections are manually removed from the pool.</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-4036=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2024-4036=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-4036=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-4036=1</code>
</li>
<li class="list-group-item">
SUSE Manager Server 4.3 Module 4.3
<br/>
<code>zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4036=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (noarch)
<ul>
<li>httpcomponents-client-cache-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-4.4.14-150200.3.9.1</li>
<li>httpcomponents-client-4.5.14-150200.3.9.1</li>
<li>httpcomponents-client-javadoc-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-javadoc-4.4.14-150200.3.9.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>httpcomponents-client-cache-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-4.4.14-150200.3.9.1</li>
<li>httpcomponents-client-4.5.14-150200.3.9.1</li>
<li>httpcomponents-client-javadoc-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-javadoc-4.4.14-150200.3.9.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP5 (noarch)
<ul>
<li>httpcomponents-client-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-4.4.14-150200.3.9.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP6 (noarch)
<ul>
<li>httpcomponents-client-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-4.4.14-150200.3.9.1</li>
</ul>
</li>
<li>
SUSE Manager Server 4.3 Module 4.3 (noarch)
<ul>
<li>httpcomponents-client-4.5.14-150200.3.9.1</li>
<li>httpcomponents-core-4.4.14-150200.3.9.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-13956.html">https://www.suse.com/security/cve/CVE-2020-13956.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1177488">https://bugzilla.suse.com/show_bug.cgi?id=1177488</a>
</li>
</ul>
</div>