Robert Levas created AMBARI-24507: ------------------------------------- Summary: Remove dependency on org.bouncycastle bcprov-jdk15on before version 1.6.0 for Ambari Server Key: AMBARI-24507 URL: https://issues.apache.org/jira/browse/AMBARI-24507 Project: Ambari Issue Type: Bug Components: ambari-server Affects Versions: 2.7.1 Reporter: Robert Levas Assignee: Robert Levas Fix For: 2.7.1
Remove dependency on org.bouncycastle bcprov-jdk15on before version 1.6.0 for Ambari Server security concerns. See * CVE-2018-1000180 - https://nvd.nist.gov/vuln/detail/CVE-2018-1000180 This dependency is compiled into the apacheds-all.jar from {code} <dependency> <groupId>org.apache.directory.server</groupId> <artifactId>apacheds-all</artifactId> <version>2.0.0-M24</version> </dependency> {code} The relevant parts of this need to be broken out and the offending bouncy castle JAR needs to be excluded as needed. -- This message was sent by Atlassian JIRA (v7.6.3#76005)