Openfire bundles and uses an ancient / non supported Apache HTTPComponents library. This needs to be updated to keep security folks happy.
Greg, could you kindly comment if this issue is still valid?
Fixed as part of