diff --git a/SECURITY.md b/SECURITY.md index 9790ef47d..4c39669ef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,3 +9,17 @@ We support the current minor version in regards to security updates. Versions ar If this is a critical vulnerability that you would like to contact us confidentially, email us here: ossteam@innovarhealthcare.com + +## Known residual dependencies + +- `commons-httpclient-3.0.1.jar` remains on the server classpath for runtime + resolution of two deferred call sites: + - `WebDavConnection.java` (`HttpURL` / `HttpsURL` — blocked on Apache Slide + replacement; tracked under SEC-V2-01). + - `HTTPUtil.java` (`Header` / `HttpParser` — blocked on `HttpParser.parseHeaders` + equivalent in `org.apache.http`; tracked under SEC-V2-01 companion). + + All other constant-only callers (`HttpReceiver.java`, `MirthWebServer.java`, + `ConnectServiceUtil.java`) were migrated in #140. The jar carries unfixed + CVE-2012-5783, CVE-2014-3577, and CVE-2015-5262 (MITM / hostname-verification); + exposure is bounded to the two WebDAV/HTTP utility call sites above. diff --git a/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java b/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java index 0056447e2..16e524f6a 100644 --- a/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java +++ b/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Set; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.IOUtils; import org.apache.http.HttpEntity; import org.apache.http.NameValuePair; diff --git a/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java b/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java index fc7209ea6..7c6476aea 100644 --- a/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java +++ b/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java @@ -16,6 +16,7 @@ import java.util.List; import java.util.Map; +// TODO: migrate to Sardine; blocked by Apache Slide dependency (SEC-V2-01) import org.apache.commons.httpclient.HttpURL; import org.apache.commons.httpclient.HttpsURL; import org.apache.commons.io.filefilter.WildcardFileFilter; diff --git a/server/src/com/mirth/connect/connectors/http/HttpReceiver.java b/server/src/com/mirth/connect/connectors/http/HttpReceiver.java index 84430abd3..3c4dad5aa 100644 --- a/server/src/com/mirth/connect/connectors/http/HttpReceiver.java +++ b/server/src/com/mirth/connect/connectors/http/HttpReceiver.java @@ -72,7 +72,7 @@ import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.collections4.ListUtils; import org.apache.commons.fileupload.servlet.ServletFileUpload; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.exception.ExceptionUtils; diff --git a/server/src/com/mirth/connect/server/MirthWebServer.java b/server/src/com/mirth/connect/server/MirthWebServer.java index fc4681715..354aefbbd 100644 --- a/server/src/com/mirth/connect/server/MirthWebServer.java +++ b/server/src/com/mirth/connect/server/MirthWebServer.java @@ -40,7 +40,7 @@ import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.configuration2.PropertiesConfiguration; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.FileUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.io.filefilter.FalseFileFilter; diff --git a/server/src/com/mirth/connect/server/userutil/HTTPUtil.java b/server/src/com/mirth/connect/server/userutil/HTTPUtil.java index c03704bb7..a90f085ae 100644 --- a/server/src/com/mirth/connect/server/userutil/HTTPUtil.java +++ b/server/src/com/mirth/connect/server/userutil/HTTPUtil.java @@ -21,6 +21,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.fileupload.FileUploadBase; +// TODO: migrate to org.apache.http; blocked on HttpParser equivalent (SEC-V2-01 companion) import org.apache.commons.httpclient.Header; import org.apache.commons.httpclient.HttpParser; import org.apache.commons.io.IOUtils;