You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jmeter.apache.org by "nadenf (via GitHub)" <gi...@apache.org> on 2023/01/25 04:06:07 UTC

[GitHub] [jmeter] nadenf opened a new issue, #5766: Release 5.5.1

nadenf opened a new issue, #5766:
URL: https://github.com/apache/jmeter/issues/5766

   ### Expected behavior
   
   The current release of JMeter includes an active vulnerability CVE-2022-42889.
   
   This has been resolved in commits that are targeted for the 5.5.1.
   
   Can we request this be released.
   
   ### Actual behavior
   
   Current release is 5.5 which is over 6 months old.
   
   ### Steps to reproduce the problem
   
   Not applicable.
   
   ### JMeter Version
   
   5.5
   
   ### Java Version
   
   _No response_
   
   ### OS Version
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1

Posted by "ibalosh (via GitHub)" <gi...@apache.org>.

ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1436907442

   related ticket: https://github.com/apache/jmeter/issues/5718


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] milamberspace commented on issue #5766: Release 5.5.1

Posted by "milamberspace (via GitHub)" <gi...@apache.org>.

milamberspace commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1550009696

   We probably release directly Apache JMeter 5.6 with fxalan 2.7.3 in a couple of days/weeks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] markti commented on issue #5766: Release 5.5.1

Posted by "markti (via GitHub)" <gi...@apache.org>.

markti commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553390477

   > We probably release directly Apache JMeter 5.6 with fxalan 2.7.3 in a couple of days/weeks
   
   this is a critical security issue. is it possible you can release 5.5.1? need this patched ASAP.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] markti commented on issue #5766: Release 5.5.1

Posted by "markti (via GitHub)" <gi...@apache.org>.

markti commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553634221

   > Note: JMeter is not affected by the commons-text CVE (JMeter does not use the impacted class, see [fb557d5](https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5) ), so I do not think there's urgency for releasing 5.5.1 for the sake of fixing commons-text
   
   ok. how do I prove this to my compliance team? ....asking for a friend.... 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1

Posted by "vlsi (via GitHub)" <gi...@apache.org>.

vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1516060556

   We wait on Xalan 2.7.3 to be available on Central.
   They published the jars to https://xalan.apache.org/xalan-j/downloads.html#latest-release, however, they have not yet published the jars to Central.
   
   Hopefully, xalan team would be able to release it soon: https://lists.apache.org/thread/2m8c0kb94gxbxwvnjq498bll11fph79z.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1

Posted by "ibalosh (via GitHub)" <gi...@apache.org>.

ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1428240262

   any news regarding this issue?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] mikhailidim commented on issue #5766: Release 5.5.1

Posted by "mikhailidim (via GitHub)" <gi...@apache.org>.

mikhailidim commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553753637

   Tenable is very convenient that you are.
   
   On Thu, May 18, 2023, 4:57 PM markti ***@***.***> wrote:
   
   > Note: JMeter is not affected by the commons-text CVE (JMeter does not use
   > the impacted class, see fb557d5
   > <https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5>
   > ), so I do not think there's urgency for releasing 5.5.1 for the sake of
   > fixing commons-text
   >
   > ok. how do I prove this to my compliance team? ....asking for a friend....
   >
   > —
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/jmeter/issues/5766#issuecomment-1553634221>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/ACNMKYAIYTX5OEDRD2FCOMLXG2ELVANCNFSM6AAAAAAUF3LGDY>
   > .
   > You are receiving this because you commented.Message ID:
   > ***@***.***>
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] nadenf commented on issue #5766: Release 5.5.1

Posted by "nadenf (via GitHub)" <gi...@apache.org>.

nadenf commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553480878

   @vlsi  .. Many of us are in corporate environments which have automated security enforcement systems.
   
   And they aren't sophisticated enough to know that you're not using the affected classes. Only that you're using the JAR at all.
   
   Which means we are constantly having to lodge risk reports justifying why JMeter shouldn't be banned.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] ibalosh commented on issue #5766: Release 5.5.1

Posted by "ibalosh (via GitHub)" <gi...@apache.org>.

ibalosh commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553574253

   agreed with @nadenf 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1

Posted by "vlsi (via GitHub)" <gi...@apache.org>.

vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553427384

   Note: JMeter is not affected by the commons-text CVE (JMeter does not use the impacted class, see https://github.com/apache/jmeter/commit/fb557d548d829812591d041fe8218f87d857e0c5 ), so I do not think there's urgency for releasing 5.5.1 for the sake of fixing commons-text


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] breunouddanedeu commented on issue #5766: Release 5.5.1

Posted by "breunouddanedeu (via GitHub)" <gi...@apache.org>.

breunouddanedeu commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1515938293

   Any news regarding this issue ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] mikhailidim commented on issue #5766: Release 5.5.1

Posted by "mikhailidim (via GitHub)" <gi...@apache.org>.

mikhailidim commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1548015884

   Xalan 2.7.3 was published on Central May 4th. Any news on JMeter 5.5.1?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] jaslawinMs commented on issue #5766: Release 5.5.1

Posted by "jaslawinMs (via GitHub)" <gi...@apache.org>.

jaslawinMs commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553619403

   agree with @nedenf. We are several weeks in a security compliance violation because of JMeter version. Of course, we can do it manually etc. but what is the purpose of releases if it does not deliver fixes?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] vlsi commented on issue #5766: Release 5.5.1

Posted by "vlsi (via GitHub)" <gi...@apache.org>.

vlsi commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1553420652

   Hi, there's a workaround: you could replace the jar.
   
   We will release JMeter 5.6 soon: https://github.com/apache/jmeter/milestone/10
   
   It would help if you could test a recent nightly build: https://jmeter.apache.org/nightly.html
   
   If you find your issue/PR missing in `5.6 milestone`, don't hesitate to ask.
   If somebody could volunteer testing or reviewing the change, it would help as well.
   
   ---
   
   Recently we configured Renovate bot for automatic dependency suggetions, so JMeter would release with more up-to-date versions rather than previously when version updates were fully manual.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] jaslawinMs commented on issue #5766: Release 5.5.1

Posted by "jaslawinMs (via GitHub)" <gi...@apache.org>.

jaslawinMs commented on issue #5766:
URL: https://github.com/apache/jmeter/issues/5766#issuecomment-1476881919

   is there any ETA for a new release having the fix?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org