On 2017-07-24, Jaikiran Pai wrote: > Ivy currently uses commons-httpclient for dealing with HTTP > repositories. This is an internal implementation detail of Ivy. The > way it's implemented, it allows the user to use a version of their > choice, of this library, by placing them in the runtime classpath > (similar to some other libraries we use). The implementation > internally checks for the presence of 2.x as well as 3.x version of > library to decide which version to use at _runtime_ .
Let me point out that even 3.x has long reached end of life. It's successor fixed CVE-2012-5783[1] with 4.2.3 but there hasn't been any 3.x release that has fixed it AFAIK. Stefan [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
