Innovar-Healthcare · NSchatz · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/SECURITY.md b/SECURITY.md
@@ -9,3 +9,17 @@ We support the current minor version in regards to security updates. Versions ar
 If this is a critical vulnerability that you would like to contact us confidentially, email us here:
 
 ossteam@innovarhealthcare.com
+
+## Known residual dependencies
+
+- `commons-httpclient-3.0.1.jar` remains on the server classpath for runtime
+  resolution of two deferred call sites:
+  - `WebDavConnection.java` (`HttpURL` / `HttpsURL` — blocked on Apache Slide
+    replacement; tracked under SEC-V2-01).
+  - `HTTPUtil.java` (`Header` / `HttpParser` — blocked on `HttpParser.parseHeaders`
+    equivalent in `org.apache.http`; tracked under SEC-V2-01 companion).
+
+  All other constant-only callers (`HttpReceiver.java`, `MirthWebServer.java`,
+  `ConnectServiceUtil.java`) were migrated in #140. The jar carries unfixed
+  CVE-2012-5783, CVE-2014-3577, and CVE-2015-5262 (MITM / hostname-verification);
+  exposure is bounded to the two WebDAV/HTTP utility call sites above.
diff --git a/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java b/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java
@@ -17,7 +17,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpEntity;
 import org.apache.http.NameValuePair;

diff --git a/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java b/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java
@@ -16,6 +16,7 @@
 import java.util.List;
 import java.util.Map;
 
+// TODO: migrate to Sardine; blocked by Apache Slide dependency (SEC-V2-01)
 import org.apache.commons.httpclient.HttpURL;
 import org.apache.commons.httpclient.HttpsURL;
 import org.apache.commons.io.filefilter.WildcardFileFilter;

diff --git a/server/src/com/mirth/connect/connectors/http/HttpReceiver.java b/server/src/com/mirth/connect/connectors/http/HttpReceiver.java
@@ -72,7 +72,7 @@
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;

diff --git a/server/src/com/mirth/connect/server/MirthWebServer.java b/server/src/com/mirth/connect/server/MirthWebServer.java
@@ -40,7 +40,7 @@
 
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.configuration2.PropertiesConfiguration;
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.filefilter.FalseFileFilter;

diff --git a/server/src/com/mirth/connect/server/userutil/HTTPUtil.java b/server/src/com/mirth/connect/server/userutil/HTTPUtil.java
@@ -21,6 +21,7 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.fileupload.FileUploadBase;
+// TODO: migrate to org.apache.http; blocked on HttpParser equivalent (SEC-V2-01 companion)
 import org.apache.commons.httpclient.Header;
 import org.apache.commons.httpclient.HttpParser;
 import org.apache.commons.io.IOUtils;