Sandor Molnar created AMBARI-23065: -------------------------------------- Summary: Remove dependency on org.apache.httpcomponents:httpclient before version 4.3.5.1 for Ambari Server Key: AMBARI-23065 URL: https://issues.apache.org/jira/browse/AMBARI-23065 Project: Ambari Issue Type: Bug Components: ambari-server Affects Versions: 2.6.2 Reporter: Sandor Molnar Assignee: Sandor Molnar Fix For: 2.6.2, 2.7.0
Remove dependency on org.apache.httpcomponents:httpclient:jar before version 4.3.5.1 due to security concerns. See * CVE-2015-5262 - [https://nvd.nist.gov/vuln/detail/CVE-2015-5262] * CVE-2014-3577 - [https://nvd.nist.gov/vuln/detail/CVE-2014-3577] {noformat} --- maven-dependency-plugin:2.8:tree(default-cli) @ ambari-server --- org.apache.ambari:ambari-server:jar:2.6.1.0.0 +- org.apache.httpcomponents:httpclient:jar:4.2.5:compile +- org.apache.ambari:ambari-metrics-common:jar:2.6.1.0.0:compile | \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for duplicate) +- org.apache.hadoop:hadoop-auth:jar:2.7.2:compile | \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for duplicate) \- org.apache.hadoop:hadoop-common:jar:2.7.2:compile \- net.java.dev.jets3t:jets3t:jar:0.9.0:compile \- (org.apache.httpcomponents:httpclient:jar:4.1.2:compile - omitted for conflict with 4.2.5) {noformat} * * [Options|https://hortonworks.jira.com/browse/BUG-97133?filter=54432] h2. -- This message was sent by Atlassian JIRA (v7.6.3#76005)