Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMBARI-24778. Removed CVE issues from ambari-server #2459

Merged
merged 1 commit into from Oct 16, 2018
Merged

AMBARI-24778. Removed CVE issues from ambari-server #2459

merged 1 commit into from Oct 16, 2018

Conversation

smolnar82
Copy link
Contributor

What changes were proposed in this pull request?

Current version Upgrade to CVE issue(s)
org.springframework:spring-web:jar:4.3.17.RELEASE org.springframework:spring-web:jar:4.3.18.RELEASE or the latest CVE-2018-11039, CVE-2018-11040
jquery-1.8.3.min.js 1.9.0rc1 or the latest CVE-2011-4969, CVE-2015-9251, CVE-2012-6708
org.eclipse.jetty:jetty-server:jar:9.4.11.v20180605 9.4.12.v20180830 or the latest CVE-2017-9735, CVE-2018-12536

How was this patch tested?

Running JUnit tests in ambari-server.

Checking Maven's dependency resolution:

HW15069:ambari-server smolnar$ mvn dependency:tree -Dincludes=org.springframework:spring-web
...
[INFO] ------------------------------------------------------------------------
[INFO] Building Ambari Server 2.0.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.0.0.0-SNAPSHOT
[INFO] \- org.springframework:spring-web:jar:4.3.18.RELEASE:compile
[INFO] ------------------------------------------------------------------------

HW15069:ambari-server smolnar$ mvn dependency:tree -Dincludes=org.eclipse.jetty:jetty-server
...
[INFO] ------------------------------------------------------------------------
[INFO] Building Ambari Server 2.0.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.0.0.0-SNAPSHOT
[INFO] \- org.eclipse.jetty:jetty-server:jar:9.4.12.v20180830:compile
[INFO] ------------------------------------------------------------------------

To test the JS upgrade change I uploaded the new version into my local test environment (vagrant), removed the old version and restarted the server. Then I hit http://c7401:8080/api-docs/ and tried out several API end-points.

@smolnar82 smolnar82 requested review from rlevas, a user and zeroflag October 15, 2018 12:41
@smolnar82 smolnar82 self-assigned this Oct 15, 2018
@smolnar82 smolnar82 added the CVE label Oct 15, 2018
@asfgit
Copy link

asfgit commented Oct 15, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/4274/
Test PASSed.

@smolnar82 smolnar82 merged commit 3b50cb6 into apache:trunk Oct 16, 2018
@smolnar82 smolnar82 deleted the AMBARI-24778 branch October 16, 2018 07:36
@smolnar82 smolnar82 mentioned this pull request Oct 16, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroflag zeroflag zeroflag approved these changes

@rlevas rlevas rlevas approved these changes

Assignees

@smolnar82 smolnar82

Labels
CVE
Projects
None yet
Milestone
No milestone
4 participants
@smolnar82 @asfgit @zeroflag @rlevas