[ https://issues.apache.org/jira/browse/AMBARI-23065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandor Molnar resolved AMBARI-23065. ------------------------------------ Resolution: Fixed Fix Version/s: (was: 2.7.0) > Remove dependency on org.apache.httpcomponents:httpclient before version > 4.3.5.1 for Ambari Server > -------------------------------------------------------------------------------------------------- > > Key: AMBARI-23065 > URL: https://issues.apache.org/jira/browse/AMBARI-23065 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.6.2 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Labels: black-duck, pull-request-available > Fix For: 2.6.2 > > Time Spent: 2h > Remaining Estimate: 0h > > Remove dependency on org.apache.httpcomponents:httpclient:jar before version > 4.3.5.1 due to security concerns. See > * CVE-2015-5262 - [https://nvd.nist.gov/vuln/detail/CVE-2015-5262] > * CVE-2014-3577 - [https://nvd.nist.gov/vuln/detail/CVE-2014-3577] > {noformat} > --- maven-dependency-plugin:2.8:tree(default-cli) @ ambari-server --- > org.apache.ambari:ambari-server:jar:2.6.1.0.0 > +- org.apache.httpcomponents:httpclient:jar:4.2.5:compile > +- org.apache.ambari:ambari-metrics-common:jar:2.6.1.0.0:compile > | \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for > duplicate) > +- org.apache.hadoop:hadoop-auth:jar:2.7.2:compile > | \- (org.apache.httpcomponents:httpclient:jar:4.2.5:compile - omitted for > duplicate) > \- org.apache.hadoop:hadoop-common:jar:2.7.2:compile > \- net.java.dev.jets3t:jets3t:jar:0.9.0:compile > \- (org.apache.httpcomponents:httpclient:jar:4.1.2:compile - omitted > for conflict with 4.2.5) > {noformat} > * > * > [Options|https://hortonworks.jira.com/browse/BUG-97133?filter=54432] > h2. -- This message was sent by Atlassian JIRA (v7.6.3#76005)