[AMBARI-23065] Remove dependency on org.apache.httpcomponents:httpclient before version 4.3.5.1 for Ambari Server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.6.2
Fix Version/s: 2.6.2
Component/s: ambari-server
Labels:
- black-duck
- pull-request-available

Description

Remove dependency on org.apache.httpcomponents:httpclient:jar before version 4.3.5.1 due to security concerns. See

CVE-2015-5262 - https://nvd.nist.gov/vuln/detail/CVE-2015-5262
CVE-2014-3577 - https://nvd.nist.gov/vuln/detail/CVE-2014-3577

--- maven-dependency-plugin:2.8:tree(default-cli) @ ambari-server ---
 org.apache.ambari:ambari-server:jar:2.6.1.0.0
 +- org.apache.httpcomponents:httpclient:jar:4.2.5:compile
 +- org.apache.ambari:ambari-metrics-common:jar:2.6.1.0.0:compile
 |  \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for duplicate)
 +- org.apache.hadoop:hadoop-auth:jar:2.7.2:compile
 |  \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for duplicate)
 \- org.apache.hadoop:hadoop-common:jar:2.7.2:compile
    \- net.java.dev.jets3t:jets3t:jar:0.9.0:compile
       \- (org.apache.httpcomponents:httpclient:jar:4.1.2:compile - omitted for conflict with 4.2.5)

Options

Attachments

Issue Links

is related to

AMBARI-23123 Fix BlackDuck found security issues in Ambari Server

Resolved

links to

GitHub Pull Request #454

Activity

People

Assignee:: Sandor Molnar

Reporter:: Sandor Molnar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Feb/18 13:14

Updated:: 01/Mar/18 19:56

Resolved:: 01/Mar/18 19:14

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: