[jira] [Commented] (AMBARI-23783) Remove dependency on com.fasterxml.jackson.core:jackson-databind 2.7.8 in Ambari Metrics Collector

Tue, 08 May 2018 17:04:40 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-23783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16468130#comment-16468130
 ] 

Hudson commented on AMBARI-23783:
---------------------------------

SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #9211 (See 
[https://builds.apache.org/job/Ambari-trunk-Commit/9211/])
AMBARI-23783. Upgraded com.fasterxml.jackson.core:jackson-databind to (github: 
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=ab5da5298bf24992e1ecadbabd96a9fb91616a1d])
* (edit) ambari-metrics/ambari-metrics-timelineservice/pom.xml
* (edit) ambari-metrics/pom.xml


> Remove dependency on com.fasterxml.jackson.core:jackson-databind 2.7.8 in 
> Ambari Metrics Collector
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-23783
>                 URL: https://issues.apache.org/jira/browse/AMBARI-23783
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-metrics
>    Affects Versions: 2.7.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.7.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Remove dependency on com.fasterxml.jackson.core:jackson-databind 2.7.8 in 
> Ambari Metrics Collector due to security concerns. See
>  * [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  
> {noformat}
> HW15069:ambari-metrics-timelineservice smolnar$ mvn dependency:tree 
> -Dincludes=com.fasterxml.jackson.core:jackson-databind -Dverbose=true
> [INFO] Scanning for projects...
> [INFO] 
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Building Ambari Metrics Collector 2.0.0.0-SNAPSHOT
> [INFO] 
> ------------------------------------------------------------------------
>  
> [INFO] 
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ 
> ambari-metrics-timelineservice ---
> [INFO] org.apache.ambari:ambari-metrics-timelineservice:jar:2.0.0.0-SNAPSHOT
> [INFO] +- org.apache.phoenix:phoenix-core:jar:5.0.0.3.0.0.0-1181:compile
> [INFO] |  +- org.apache.hbase:hbase-mapreduce:jar:2.0.0.3.0.0.0-1181:compile
> [INFO] |  |  +- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> duplicate)
> [INFO] |  |  \- org.apache.hadoop:hadoop-hdfs:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |  |     \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> conflict with 2.7.8)
> [INFO] |  +- org.apache.hbase:hbase-common:jar:2.0.0.3.0.0.0-1181:compile
> [INFO] |  |  \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.9.2:compile - omitted for 
> duplicate)
> [INFO] |  +- org.apache.hbase:hbase-client:jar:2.0.0.3.0.0.0-1181:compile
> [INFO] |  |  \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.9.2:compile - omitted for 
> duplicate)
> [INFO] |  \- 
> org.apache.hadoop:hadoop-mapreduce-client-core:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |     +- 
> org.apache.hadoop:hadoop-hdfs-client:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |     |  \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> conflict with 2.7.8)
> [INFO] |     \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> conflict with 2.7.8)
> [INFO] +- org.apache.hadoop:hadoop-common:jar:3.0.0.3.0.0.0-1181:provided 
> (scope not updated to compile)
> [INFO] |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - 
> scope updated from provided; omitted for duplicate)
> [INFO] +- 
> org.apache.hadoop:hadoop-common:test-jar:tests:3.0.0.3.0.0.0-1181:test
> [INFO] |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - 
> scope updated from test; omitted for duplicate)
> [INFO] +- 
> org.apache.hadoop:hadoop-yarn-common:test-jar:tests:3.0.0.3.0.0.0-1181:test
> [INFO] |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - 
> scope updated from test; omitted for duplicate)
> [INFO] +- org.apache.hadoop:hadoop-yarn-common:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile
> [INFO] |  +- 
> com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.7.8:compile
> [INFO] |  |  \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> duplicate)
> [INFO] |  \- 
> com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.7.8:compile
> [INFO] |     +- 
> com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.7.8:compile
> [INFO] |     |  \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> duplicate)
> [INFO] |     \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> duplicate)
> [INFO] +- 
> org.apache.hadoop:hadoop-yarn-server-common:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |  \- 
> org.apache.hadoop:hadoop-yarn-registry:jar:3.0.0.3.0.0.0-1181:compile
> [INFO] |     \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:compile - omitted for 
> duplicate)
> [INFO] +- org.apache.hbase:hbase-it:jar:tests:2.0.0.3.0.0.0-1181:test
> [INFO] |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.9.2:test - 
> omitted for conflict with 2.7.8)
> [INFO] \- org.apache.hbase:hbase-testing-util:jar:2.0.0.3.0.0.0-1181:test
> [INFO]    +- 
> org.apache.hbase:hbase-common:test-jar:tests:2.0.0.3.0.0.0-1181:test
> [INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.9.2:test - 
> omitted for conflict with 2.7.8)
> [INFO]    +- 
> org.apache.hadoop:hadoop-hdfs:test-jar:tests:3.0.0.3.0.0.0-1181:test
> [INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:test - 
> omitted for duplicate)
> [INFO]    \- org.apache.hadoop:hadoop-minicluster:jar:3.0.0.3.0.0.0-1181:test
> [INFO]       +- 
> org.apache.hadoop:hadoop-yarn-server-tests:test-jar:tests:3.0.0.3.0.0.0-1181:test
> [INFO]       |  \- 
> org.apache.hadoop:hadoop-yarn-server-timelineservice:jar:3.0.0.3.0.0.0-1181:test
> [INFO]       |     \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:test - omitted for 
> duplicate)
> [INFO]       \- 
> org.apache.hadoop:hadoop-mapreduce-client-app:jar:3.0.0.3.0.0.0-1181:test
> [INFO]          \- 
> (com.fasterxml.jackson.core:jackson-databind:jar:2.7.8:test - omitted for 
> duplicate)
> {noformat}
> Recommendation is to remove the dependency or upgrade to version 2.8.11.1 or 
> the latest, if possible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to