Update Apache HttpClient5 and HttpCore5 (CVE-2025-27820)#18152
Update Apache HttpClient5 and HttpCore5 (CVE-2025-27820)#18152kotwanikunal merged 1 commit intoopensearch-project:mainfrom
Conversation
|
Thanks @reta was so confused why several plugins also shows this. Add a backport label to 3.0/2.19 and will pick up in RC2. Thanks. |
|
❌ Gradle check result for 1547318: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Andriy Redko <drreta@gmail.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #18152 +/- ##
============================================
- Coverage 72.53% 72.52% -0.01%
+ Complexity 67207 67198 -9
============================================
Files 5476 5476
Lines 310436 310437 +1
Branches 45121 45121
============================================
- Hits 225179 225154 -25
- Misses 66894 66913 +19
- Partials 18363 18370 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@peterzhuamazon @andrross folks mind please re-approving? had to push test fix, thank you |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.19 2.19
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.19
# Create a new branch
git switch --create backport/backport-18152-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3fe294621396449b3b826db9815a1b7de8c978d9
# Push it to GitHub
git push --set-upstream origin backport/backport-18152-to-2.19
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.19Then, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-3.0 3.0
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-3.0
# Create a new branch
git switch --create backport/backport-18152-to-3.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3fe294621396449b3b826db9815a1b7de8c978d9
# Push it to GitHub
git push --set-upstream origin backport/backport-18152-to-3.0
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-3.0Then, create a pull request where the |
|
@peterzhuamazon the 2.x branch is on Apache HttpClient 4.x line |
…project#18152) Signed-off-by: Andriy Redko <drreta@gmail.com> (cherry picked from commit 3fe2946)
Thanks @reta, just realize LTR and Async are the only two plugins manually defined a 5.x http5client in code. Thanks. |
|
ML will mitigate the 5.4.1 version and I will bump the one in CCR soon: opensearch-project/opensearch-build#3747 (comment) Thanks. |
…project#18152) (opensearch-project#18155) (cherry picked from commit 3fe2946) Signed-off-by: Andriy Redko <drreta@gmail.com> Signed-off-by: Prudhvi Godithi <pgodithi@amazon.com>
Description
Update Apache HttpClient5 and HttpCore5 (CVE-2025-27820)
Related Issues
Mitigation for https://www.mend.io/vulnerability-database/CVE-2025-27820
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.