Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Aug 2017 14:06:34 +0200
From: Nicolas Grégoire <>
Subject: CVE request: incorrect URL parsing in async-http-client <= 2.0.35


a flaw was identified in the URL parsing code of async-http-client, a
Java HTTP client used in other projects like the Play Framework
(through its WS library):

The bug is similar to CVE-2016-8624 affecting cURL (incorrect
processing of string "#@" in the hostname):

Version 2.0.35 of async-http-client includes a fix and is available
through Maven since Monday. Relevant GitHub issue:

Nicolas Grégoire

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ