=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN301
_____________________________________________________________________

DATE                      : 08/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache HttpComponents HttpClient versions prior to 4.1.1.

======================================================================
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
______________________________________________________________________

Release 4.1.1
-------------------

The HttpClient 4.1.1 is a bug fix release that addresses a number of issues reported since
release 4.1, including one critical security issue (HTTPCLIENT-1061). All users of HttpClient 4.0.x
and 4.1 are strongly encouraged to upgrade.

* [HTTPCLIENT-1069] HttpHostConnectException not correctly retried for direct and non-tunnelled
   proxy connections.
   Contributed by Oleg Kalnichevski <olegk at apache.org>

* [HTTPCLIENT-1066] Changed the way URIUtils#rewriteURI handles multiple consecutive slashes in the
   URI path component: multiple leading slashes will be replaced by one slash in order to avoid
   confusion with the authority component. The remaining content of the path will not be modified.
   (also see HTTPCLIENT-929).
   Contributed by Oleg Kalnichevski <olegk at apache.org>

* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
   host when tunneling requests through a proxy server that requires authentication.
   Contributed by Oleg Kalnichevski <olegk at apache.org>

* [HTTPCLIENT-1056] Fixed bug causing the RequestAuthCache protocol interceptor to generate
   an invalid AuthScope instance when looking up user credentials for preemptive authentication.
   Contributed by Oleg Kalnichevski <olegk at apache.org>

* [HTTPCLIENT-1053] Fixed the way DigestScheme generates nonce-count values.
   Contributed by Oleg Kalnichevski <olegk at apache.org>



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================