[jira] [Updated] (AMBARI-25313) Upgrade dependency on com.mchange:c3p0:jar:0.9.5.2 in Ambari Server

Tue, 18 Jun 2019 04:20:12 -0700 


     [ 
https://issues.apache.org/jira/browse/AMBARI-25313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krisztian Kasa updated AMBARI-25313:
------------------------------------
    Description: 
Remove dependency on com.mchange:c3p0:jar:0.9.5. in Ambari Server due to 
security concerns. See 

https://nvd.nist.gov/vuln/detail/CVE-2018-20433

{code}
± % mvn dependency:tree -Dincludes=com.mchange:c3p0
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.ambari:ambari-server >-------------------
[INFO] Building Ambari Server 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.7.3.0.0
[INFO] \- com.mchange:c3p0:jar:0.9.5.2:compile
{code}
Recommendation is to remove the dependency or upgrade to version 0.9.5.3 or the 
latest version, if possible.

  was:
Remove dependency on com.mchange:c3p0:jar:0.9.5. in Ambari Server due to 
security concerns. See 

https://nvd.nist.gov/vuln/detail/CVE-2018-20433

± % mvn dependency:tree -Dincludes=com.mchange:c3p0
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.ambari:ambari-server >-------------------
[INFO] Building Ambari Server 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.7.3.0.0
[INFO] \- com.mchange:c3p0:jar:0.9.5.2:compile

Recommendation is to remove the dependency or upgrade to version 0.9.5.3 or the 
latest version, if possible.


> Upgrade dependency on com.mchange:c3p0:jar:0.9.5.2 in Ambari Server
> -------------------------------------------------------------------
>
>                 Key: AMBARI-25313
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25313
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.3
>            Reporter: Krisztian Kasa
>            Assignee: Krisztian Kasa
>            Priority: Major
>             Fix For: 2.7.4
>
>
> Remove dependency on com.mchange:c3p0:jar:0.9.5. in Ambari Server due to 
> security concerns. See 
> https://nvd.nist.gov/vuln/detail/CVE-2018-20433
> {code}
> ± % mvn dependency:tree -Dincludes=com.mchange:c3p0
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ------------------< org.apache.ambari:ambari-server 
> >-------------------
> [INFO] Building Ambari Server 2.7.3.0.0
> [INFO] --------------------------------[ jar 
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
> [INFO] org.apache.ambari:ambari-server:jar:2.7.3.0.0
> [INFO] \- com.mchange:c3p0:jar:0.9.5.2:compile
> {code}
> Recommendation is to remove the dependency or upgrade to version 0.9.5.3 or 
> the latest version, if possible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to