[jira] [Created] (AMBARI-25319) Logsearch: Upgrade dependency on org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE

Krisztian Kasa (JIRA) Thu, 20 Jun 2019 00:08:21 -0700

Krisztian Kasa created AMBARI-25319:
---------------------------------------


             Summary: Logsearch: Upgrade dependency on 
org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE
                 Key: AMBARI-25319
                 URL: https://issues.apache.org/jira/browse/AMBARI-25319
             Project: Ambari
          Issue Type: Bug
          Components: logsearch
    Affects Versions: 2.7.3
            Reporter: Krisztian Kasa
            Assignee: Krisztian Kasa
             Fix For: 2.7.4


Remove dependency on org.mortbay.jasper:apache-el:jar:8.5.33 in Ambari 
Logsearch due to security concerns. See 

https://nvd.nist.gov/vuln/detail/CVE-2019-0199

{code}
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ 
ambari-logsearch-server ---
[INFO] org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0
[INFO] \- 
org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile
[INFO]    \- org.mortbay.jasper:apache-el:jar:8.5.33:compile
[INFO]
[INFO] ------------< org.apache.ambari:ambari-logsearch-assembly >-------------
[INFO] Building Ambari Logsearch Assembly 2.7.3.0.0                     [13/14]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ 
ambari-logsearch-assembly ---
[INFO] org.apache.ambari:ambari-logsearch-assembly:jar:2.7.3.0.0
[INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile
[INFO]    \- 
org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile
[INFO]       \- org.mortbay.jasper:apache-el:jar:8.5.33:compile
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-logsearch-it >----------------
[INFO] Building Ambari Logsearch Integration Test 2.7.3.0.0             [14/14]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-logsearch-it 
---
[INFO] org.apache.ambari:ambari-logsearch-it:jar:2.7.3.0.0
[INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile
[INFO]    \- 
org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile
[INFO]       \- org.mortbay.jasper:apache-el:jar:8.5.33:compile
{code}

Recommendation is to remove the dependency or upgrade to version 
org.springframework.boot:spring-boot-starter-jetty:jar:2.0.9.RELEASE or the 
latest version, if possible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (AMBARI-25319) Logsearch: Upgrade dependency on org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE

Reply via email to