You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by "nadenf (via GitHub)" <gi...@apache.org> on 2023/01/25 04:06:07 UTC
[GitHub] [jmeter] nadenf opened a new issue, #5766: Release 5.5.1
nadenf opened a new issue, #5766:
URL: https://github.com/apache/jmeter/issues/5766
### Expected behavior
The current release of JMeter includes an active vulnerability CVE-2022-42889.
This has been resolved in commits that are targeted for the 5.5.1.
Can we request this be released.
### Actual behavior
Current release is 5.5 which is over 6 months old.
### Steps to reproduce the problem
Not applicable.
### JMeter Version
5.5
### Java Version
_No response_
### OS Version
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1
Posted by "ibalosh (via GitHub)" <gi...@apache.org>.
ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1436907442
related ticket: https://github.com/apache/jmeter/issues/5718
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] milamberspace commented on issue #5766: Release 5.5.1
Posted by "milamberspace (via GitHub)" <gi...@apache.org>.
milamberspace commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1550009696
We probably release directly Apache JMeter 5.6 with fxalan 2.7.3 in a couple of days/weeks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] markti commented on issue #5766: Release 5.5.1
Posted by "markti (via GitHub)" <gi...@apache.org>.
markti commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553390477
> We probably release directly Apache JMeter 5.6 with fxalan 2.7.3 in a couple of days/weeks
this is a critical security issue. is it possible you can release 5.5.1? need this patched ASAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] markti commented on issue #5766: Release 5.5.1
Posted by "markti (via GitHub)" <gi...@apache.org>.
markti commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553634221
> Note: JMeter is not affected by the commons-text CVE (JMeter does not use the impacted class, see [fb557d5](https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5) ), so I do not think there's urgency for releasing 5.5.1 for the sake of fixing commons-text
ok. how do I prove this to my compliance team? ....asking for a friend....
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1
Posted by "vlsi (via GitHub)" <gi...@apache.org>.
vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1516060556
We wait on Xalan 2.7.3 to be available on Central.
They published the jars to https://xalan.apache.org/xalan-j/downloads.html#latest-release, however, they have not yet published the jars to Central.
Hopefully, xalan team would be able to release it soon: https://lists.apache.org/thread/2m8c0kb94gxbxwvnjq498bll11fph79z.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1
Posted by "ibalosh (via GitHub)" <gi...@apache.org>.
ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1428240262
any news regarding this issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] mikhailidim commented on issue #5766: Release 5.5.1
Posted by "mikhailidim (via GitHub)" <gi...@apache.org>.
mikhailidim commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553753637
Tenable is very convenient that you are.
On Thu, May 18, 2023, 4:57 PM markti ***@***.***> wrote:
> Note: JMeter is not affected by the commons-text CVE (JMeter does not use
> the impacted class, see fb557d5
> <https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5>
> ), so I do not think there's urgency for releasing 5.5.1 for the sake of
> fixing commons-text
>
> ok. how do I prove this to my compliance team? ....asking for a friend....
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/jmeter/issues/5766#issuecomment-1553634221>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ACNMKYAIYTX5OEDRD2FCOMLXG2ELVANCNFSM6AAAAAAUF3LGDY>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] nadenf commented on issue #5766: Release 5.5.1
Posted by "nadenf (via GitHub)" <gi...@apache.org>.
nadenf commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553480878
@vlsi .. Many of us are in corporate environments which have automated security enforcement systems.
And they aren't sophisticated enough to know that you're not using the affected classes. Only that you're using the JAR at all.
Which means we are constantly having to lodge risk reports justifying why JMeter shouldn't be banned.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1
Posted by "ibalosh (via GitHub)" <gi...@apache.org>.
ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553574253
agreed with @nadenf
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1
Posted by "vlsi (via GitHub)" <gi...@apache.org>.
vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553427384
Note: JMeter is not affected by the commons-text CVE (JMeter does not use the impacted class, see https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5 ), so I do not think there's urgency for releasing 5.5.1 for the sake of fixing commons-text
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] breunouddanedeu commented on issue #5766: Release 5.5.1
Posted by "breunouddanedeu (via GitHub)" <gi...@apache.org>.
breunouddanedeu commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1515938293
Any news regarding this issue ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] mikhailidim commented on issue #5766: Release 5.5.1
Posted by "mikhailidim (via GitHub)" <gi...@apache.org>.
mikhailidim commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1548015884
Xalan 2.7.3 was published on Central May 4th. Any news on JMeter 5.5.1?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] jaslawinMs commented on issue #5766: Release 5.5.1
Posted by "jaslawinMs (via GitHub)" <gi...@apache.org>.
jaslawinMs commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553619403
agree with @nedenf. We are several weeks in a security compliance violation because of JMeter version. Of course, we can do it manually etc. but what is the purpose of releases if it does not deliver fixes?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1
Posted by "vlsi (via GitHub)" <gi...@apache.org>.
vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553420652
Hi, there's a workaround: you could replace the jar.
We will release JMeter 5.6 soon: https://github.com/apache/jmeter/milestone/10
It would help if you could test a recent nightly build: https://jmeter.apache.org/nightly.html
If you find your issue/PR missing in `5.6 milestone`, don't hesitate to ask.
If somebody could volunteer testing or reviewing the change, it would help as well.
---
Recently we configured Renovate bot for automatic dependency suggetions, so JMeter would release with more up-to-date versions rather than previously when version updates were fully manual.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [jmeter] jaslawinMs commented on issue #5766: Release 5.5.1
Posted by "jaslawinMs (via GitHub)" <gi...@apache.org>.
jaslawinMs commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1476881919
is there any ETA for a new release having the fix?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org