Bug 94791 - Wiki publisher extension uses unsuported httpclient library
Summary: Wiki publisher extension uses unsuported httpclient library
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Extensions (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium major
Assignee: Not Assigned
URL:
Whiteboard: target:5.1.0
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-05 15:18 UTC by Rene Engelhard
Modified: 2016-10-25 19:17 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rene Engelhard 2015-10-05 15:18:42 UTC 
See http://bugs.debian.org/800992:

--- snip ---
libreoffice depends on libcommons-httpclient-java, which is obsolete and was    
replaced by libhttpclient-java. It has reached EOL status in 2011! It is no     
longer supported upstream [1] and was affected by multiple security issues in   
the recent past. libreoffice should be ported to the new libhttpclient-java     
version, so that we can remove the old, unmaintained one. Please forward this   
issue upstream, if you can't migrate the package yourself.                      
                                                                                
We would like to see libcommons-httpclient-java removed during the Stretch      
release cycle but due to the large number of reverse-dependencies the outcome   
depends more than ever on your help.                                            
                                                                                
Please help us to accomplish this goal.
[...]
[1] https://hc.apache.org/httpclient-3.x/                                       
                                                                                
[2]                                                                          https://security-tracker.debian.org/tracker/source-package/commons-httpclient 
--- snip ---
Comment 1 Björn Michaelsen 2015-10-05 15:35:40 UTC 
I wouldnt mind dropping the MediaWiki extension -- however from a look at configure.ac, we also need is for report-builder :/ :
> if test "$ENABLE_MEDIAWIKI" = "TRUE" -o "$ENABLE_REPORTBUILDER" = "TRUE"; then
>    AC_MSG_CHECKING([which Apache commons-* libs to use])
http://opengrok.libreoffice.org/xref/core/configure.ac#10800
Comment 2 Rene Engelhard 2015-10-05 15:48:38 UTC 
AFAICS only logging. Just that they happen to be together in one apache-commons module...
Comment 3 Rene Engelhard 2015-10-05 15:49:56 UTC 
(jessie)rene@frodo:~/LibreOffice/git/master/swext$ grep httpclient *
Extension_wiki-publisher.mk:$(eval $(call gb_Extension_use_external_project,wiki-publisher,apache_commons_httpclient))
Extension_wiki-publisher.mk:$(eval $(call gb_Extension_add_file,wiki-publisher,commons-httpclient-3.1.jar,$(call gb_UnpackedTarball_get_dir,apache_commons_httpclient)/dist/commons-httpclient.jar))
Jar_mediawiki.mk:	commons-httpclient \
grep: mediawiki: Ist ein Verzeichnis
(jessie)rene@frodo:~/LibreOffice/git/master/swext$ cd ../reportbuilder/
(jessie)rene@frodo:~/LibreOffice/git/master/reportbuilder$ grep httpclient *
grep: java: Ist ein Verzeichnis
grep: registry: Ist ein Verzeichnis
grep: template: Ist ein Verzeichnis
(jessie)rene@frodo:~/LibreOffice/git/master/reportbuilder$
Comment 4 Rene Engelhard 2015-10-05 15:52:33 UTC 
and

(jessie)rene@frodo:~/LibreOffice/git/master/swext$ grep commons *
[...]
Jar_mediawiki.mk:	commons-codec \
Jar_mediawiki.mk:	commons-lang \
Jar_mediawiki.mk:	commons-httpclient \
Jar_mediawiki.mk:	commons-logging \
grep: mediawiki: Ist ein Verzeichnis
(jessie)rene@frodo:~/LibreOffice/git/master/swext$ cd ../reportbuilder/
(jessie)rene@frodo:~/LibreOffice/git/master/reportbuilder$ grep commons *
Jar_reportbuilder.mk:	commons-logging \
grep: java: Ist ein Verzeichnis
grep: registry: Ist ein Verzeichnis
grep: template: Ist ein Verzeichnis
(jessie)rene@frodo:~/LibreOffice/git/master/reportbuilder$ 

so it's definitely only the wiki-publisher.
Comment 5 Rene Engelhard 2015-10-05 16:34:12 UTC 
if we want to remove it: initial work is at https://gerrit.libreoffice.org/19167
Comment 6 Adolfo Jayme Barrientos 2015-10-15 14:19:43 UTC 
With commits f7d149a7 and 4b6ceed4 in place, should we close this now?
Comment 7 Rene Engelhard 2016-05-31 15:35:17 UTC 
would say so, yes...