[AMBARI-25316] Upgrade dependency on org.springframework:spring-web:jar:4.3.18.RELEASE in Ambari Server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.3
Fix Version/s: 2.7.4
Component/s: ambari-server
Labels:
- pull-request-available

Description

Remove dependency on org.springframework.security:spring-security-web 4.3.18.RELEASE in Ambari Server due to security concerns. See

https://nvd.nist.gov/vuln/detail/CVE-2018-15756

[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.ambari:ambari-server >-------------------
[INFO] Building Ambari Server 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
...
[INFO] +- org.springframework:spring-web:jar:4.3.18.RELEASE:compile

Recommendation is to remove the dependency or upgrade to version 4.3.20.RELEASE or the latest version, if possible.

Attachments

Issue Links

links to

GitHub Pull Request #3022

Activity

People

Assignee:: Krisztian Kasa

Reporter:: Krisztian Kasa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Jun/19 10:05

Updated:: 20/Jun/19 07:05

Resolved:: 20/Jun/19 07:05

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h