Package opensearch updated to version 3.1.0-alt1 for branch sisyphus in task 388460.

Published: 2025-03-06

BDU:2025-05017

Уязвимость механизма PSL validation клиентского модуля Apache HttpClient средства Apache HttpComponents, позволяющая нарушителю осуществить CSRF-атаку

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

References:

CVE-2025-27820

Published: 2025-04-24
Modified: 2025-07-16

CVE-2025-27820

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

https://github.com/apache/httpcomponents-client/pull/574
https://github.com/apache/httpcomponents-client/pull/621
https://hc.apache.org/httpcomponents-client-5.4.x/index.html
https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
https://security.netapp.com/advisory/ntap-20250516-0003/

Version: 2.1.2

Package opensearch update in sisyphus on 2025-07-15

ALT-PU-2025-9323-2

Closed vulnerabilities

BDU:2025-05017

CVE-2025-27820