[ https://issues.apache.org/jira/browse/AMBARI-25319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Krisztian Kasa updated AMBARI-25319: ------------------------------------ Status: Patch Available (was: Open) > Logsearch: Upgrade dependency on > org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE > ----------------------------------------------------------------------------------------------------- > > Key: AMBARI-25319 > URL: https://issues.apache.org/jira/browse/AMBARI-25319 > Project: Ambari > Issue Type: Bug > Components: logsearch > Affects Versions: 2.7.3 > Reporter: Krisztian Kasa > Assignee: Krisztian Kasa > Priority: Major > Labels: pull-request-available > Fix For: 2.7.4 > > Time Spent: 20m > Remaining Estimate: 0h > > Remove dependency on org.mortbay.jasper:apache-el:jar:8.5.33 in Ambari > Logsearch due to security concerns. See > https://nvd.nist.gov/vuln/detail/CVE-2019-0199 > {code} > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ > ambari-logsearch-server --- > [INFO] org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0 > [INFO] \- > org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile > [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile > [INFO] > [INFO] ------------< org.apache.ambari:ambari-logsearch-assembly > >------------- > [INFO] Building Ambari Logsearch Assembly 2.7.3.0.0 > [13/14] > [INFO] --------------------------------[ jar > ]--------------------------------- > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ > ambari-logsearch-assembly --- > [INFO] org.apache.ambari:ambari-logsearch-assembly:jar:2.7.3.0.0 > [INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile > [INFO] \- > org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile > [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile > [INFO] > [INFO] ---------------< org.apache.ambari:ambari-logsearch-it > >---------------- > [INFO] Building Ambari Logsearch Integration Test 2.7.3.0.0 > [14/14] > [INFO] --------------------------------[ jar > ]--------------------------------- > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ > ambari-logsearch-it --- > [INFO] org.apache.ambari:ambari-logsearch-it:jar:2.7.3.0.0 > [INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile > [INFO] \- > org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile > [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile > {code} > Recommendation is to remove the dependency or upgrade to version > org.springframework.boot:spring-boot-starter-jetty:jar:2.0.9.RELEASE or the > latest version, if possible. -- This message was sent by Atlassian JIRA (v7.6.3#76005)