Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25313

Upgrade dependency on com.mchange:c3p0:jar:0.9.5.2 in Ambari Server

    XMLWordPrintableJSON

Details

    Description

      Remove dependency on com.mchange:c3p0:jar:0.9.5. in Ambari Server due to security concerns. See

      https://nvd.nist.gov/vuln/detail/CVE-2018-20433

      ± % mvn dependency:tree -Dincludes=com.mchange:c3p0
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.ambari:ambari-server >-------------------
[INFO] Building Ambari Server 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.7.3.0.0
[INFO] \- com.mchange:c3p0:jar:0.9.5.2:compile

      Recommendation is to remove the dependency or upgrade to version 0.9.5.3 or the latest version, if possible.

      Attachments

        Activity

          People

            kkasa Krisztian Kasa
            kkasa Krisztian Kasa
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 50m
                50m