Update Apache HttpClient5 and HttpCore5 (CVE-2025-27820)

[reta]

Description

Update Apache HttpClient5 and HttpCore5 (CVE-2025-27820)

Related Issues

Mitigation for https://www.mend.io/vulnerability-database/CVE-2025-27820

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peterzhuamazon]

Thanks @reta was so confused why several plugins also shows this.

Add a backport label to 3.0/2.19 and will pick up in RC2.

Thanks.

[github-actions]

❌ Gradle check result for 1547318: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 9df3a24: SUCCESS

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 72.52%. Comparing base (a6724d3) to head (9df3a24).
Report is 8 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #18152      +/-   ##
============================================
- Coverage     72.53%   72.52%   -0.01%     
+ Complexity    67207    67198       -9     
============================================
  Files          5476     5476              
  Lines        310436   310437       +1     
  Branches      45121    45121              
============================================
- Hits         225179   225154      -25     
- Misses        66894    66913      +19     
- Partials      18363    18370       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[reta]

@peterzhuamazon @andrross folks mind please re-approving? had to push test fix, thank you

[opensearch-trigger-bot]

The backport to 2.19 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.19 2.19
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.19
# Create a new branch
git switch --create backport/backport-18152-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3fe294621396449b3b826db9815a1b7de8c978d9
# Push it to GitHub
git push --set-upstream origin backport/backport-18152-to-2.19
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.19

Then, create a pull request where the base branch is 2.19 and the compare/head branch is backport/backport-18152-to-2.19.

[opensearch-trigger-bot]

The backport to 3.0 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-3.0 3.0
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-3.0
# Create a new branch
git switch --create backport/backport-18152-to-3.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3fe294621396449b3b826db9815a1b7de8c978d9
# Push it to GitHub
git push --set-upstream origin backport/backport-18152-to-3.0
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-3.0

Then, create a pull request where the base branch is 3.0 and the compare/head branch is backport/backport-18152-to-3.0.

[reta]

@peterzhuamazon the 2.x branch is on Apache HttpClient 4.x line

[peterzhuamazon]

@peterzhuamazon the 2.x branch is on Apache HttpClient 4.x line

Thanks @reta, just realize LTR and Async are the only two plugins manually defined a 5.x http5client in code.
Rest seems in sync with what we have in core.

Thanks.

[peterzhuamazon]

ML will mitigate the 5.4.1 version and I will bump the one in CCR soon: opensearch-project/opensearch-build#3747 (comment)

./modules/reindex/httpclient5-5.4.4.jar
./modules/opensearch-dashboards/httpclient5-5.4.4.jar
./plugins/opensearch-anomaly-detection/httpclient5-5.4.4.jar
./plugins/opensearch-cross-cluster-replication/httpclient5-5.0.3.jar
./plugins/opensearch-notifications-core/httpclient5-5.4.4.jar
./plugins/opensearch-knn/httpclient5-5.4.4.jar
./plugins/opensearch-alerting/httpclient5-5.4.4.jar
./plugins/opensearch-ml/httpclient5-5.4.1.jar
./plugins/opensearch-security/httpclient5-cache-5.4.4.jar
./plugins/opensearch-security/httpclient5-5.4.4.jar

Thanks.