You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jmeter.apache.org by mi...@apache.org on 2021/12/15 12:08:00 UTC
[jmeter] 01/02: Update log4j2 to 2.16.0 to fix CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
This is an automated email from the ASF dual-hosted git repository.
milamber pushed a commit to branch fix-CVE-2021-44228
in repository https://gitbox.apache.org/repos/asf/jmeter.git
commit fca416257af9dc42c2ad6be0767337d7444eb9c4
Author: Milamber <mi...@apache.org>
AuthorDate: Wed Dec 15 13:00:12 2021 +0100
Update log4j2 to 2.16.0 to fix CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
---
gradle.properties | 2 +-
src/dist/src/dist/expected_release_jars.csv | 8 ++---
xdocs/changes.xml | 50 +++--------------------------
3 files changed, 10 insertions(+), 50 deletions(-)
diff --git a/gradle.properties b/gradle.properties
index f9f3402..8dfd113 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -106,7 +106,7 @@ jsoup.version=1.13.1
jtidy.version=r938
junit4.version=4.13.1
junit5.version=5.7.0
-log4j.version=2.13.3
+log4j.version=2.16.0
mail.version=1.5.0-b01
miglayout.version=5.2
mina-core.version=2.0.19
diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv
index a9943ff..eab7c50 100644
--- a/src/dist/src/dist/expected_release_jars.csv
+++ b/src/dist/src/dist/expected_release_jars.csv
@@ -68,10 +68,10 @@
249924,jtidy-r938.jar
382708,junit-4.13.1.jar
48483,jxlayer-3.0.4.jar
-201685,log4j-1.2-api-2.13.3.jar
-292301,log4j-api-2.13.3.jar
-1714164,log4j-core-2.13.3.jar
-23590,log4j-slf4j-impl-2.13.3.jar
+207909,log4j-1.2-api-2.16.0.jar
+301892,log4j-api-2.16.0.jar
+1789565,log4j-core-2.16.0.jar
+24258,log4j-slf4j-impl-2.16.0.jar
519087,mail-1.5.0-b01.jar
106939,miglayout-core-5.2.jar
22390,miglayout-swing-5.2.jar
diff --git a/xdocs/changes.xml b/xdocs/changes.xml
index 6b65c62..0736f2d 100644
--- a/xdocs/changes.xml
+++ b/xdocs/changes.xml
@@ -41,12 +41,14 @@ Earlier changes are detailed in the <a href="changes_history.html">History of Pr
</note>
-<!-- =================== 5.4.1 =================== -->
+<!-- =================== 5.4.2 =================== -->
-<h1>Version 5.4.1</h1>
+<h1>Version 5.4.2</h1>
<p>
Summary
</p>
+<p>This version is a fix release against the vulnerability CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
+</p>
<ul>
<li><a href="#New and Noteworthy">New and Noteworthy</a></li>
<li><a href="#Incompatible changes">Incompatible changes</a></li>
@@ -70,9 +72,6 @@ Summary
<!-- =================== Incompatible changes =================== -->
<ch_section>Incompatible changes</ch_section>
-<ul>
- <li>Restart after LAF change has been reinstated, it had been removed in JMeter 5.3</li>
-</ul>
<!-- =================== Improvements =================== -->
<ch_section>Improvements</ch_section>
@@ -111,25 +110,11 @@ Summary
<h3>General</h3>
<ul>
- <li><bug>65028</bug>Add documentation for the property <code>client.rmi.localport</code></li>
- <li><bug>65012</bug>Better handling of displaying long comments in the GUI</li>
</ul>
<ch_section>Non-functional changes</ch_section>
<ul>
- <li>Updated SaxonHE to 9.9.1-8 (from 9.9.1-7)</li>
- <li>Updated asm to 9.0 (from 7.3.1)</li>
- <li>Updated bouncycastle to 1.67 (from 1.66)</li>
- <li>Updated caffeine to 2.8.8 (from 2.8.0)</li>
- <li>Updated commons-codec to 1.15 (from 1.14)</li>
- <li>Updated commons-io to 2.8.0 (from 2.7)</li>
- <li>Updated commons-net to 3.7.2 (from 3.7)</li>
- <li>Updated jackson to 2.10.5 (from 2.10.3)</li>
- <li>Updated junit to 4.13.1 (from 4.13)</li>
- <li>Updated ph-commons to 9.5.1 (from 9.4.1)</li>
- <li>Updated ph-css to 6.2.3 (from 6.2.1)</li>
- <li>Updated groovy to 3.0.7 (from 3.0.5)</li>
- <li>Updated xstream to 1.4.15 (from 1.4.14)</li>
+ <li>Updated Apache log4j2 to 2.16.0 (from 2.13.3).</li>
</ul>
<!-- =================== Bug fixes =================== -->
@@ -138,19 +123,10 @@ Summary
<h3>HTTP Samplers and Test Script Recorder</h3>
<ul>
- <li><bug>64955</bug>Keystore password not reset on reload</li>
- <li><bug>65002</bug>HTTP(S) Test Script recorder creates an invalid Basic authentication URL. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li>
- <li><bug>65004</bug>HTTP(S) Test Script recorder computes wrong HTTP Request breaking the application. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li>
- <li><bug>64543</bug>On MacOSX, Darklaf- IntelliJ Theme throws NPE in javax.swing.ToolTipManager.initiateToolTip</li>
- <li><bug>65024</bug>Sending mime type with parameter throws IllegalArgumentException</li>
- <li><bug>65029</bug>Try harder to correctly guess the URL for applets, when download embedded URLs is enabled</li>
</ul>
<h3>Other Samplers</h3>
<ul>
- <li><bug>65034</bug>Ignore <code>SocketTimeoutException</code> on <code>BinaryTCPClientImpl</code>, when no EOM Byte is set. Regression
- introduced by commit c190641e4f0474a34a366a72364b0a8dd25bfc81 which fixed <bug>52104</bug>. That bug was bout handling
- the case of waiting for an EOM.</li>
</ul>
<h3>Controllers</h3>
@@ -159,8 +135,6 @@ Summary
<h3>Listeners</h3>
<ul>
- <li><bug>64821</bug>When importing XML formatted jtl files, sub samplers will get renamed</li>
- <li><bug>65052</bug>XPath2 Tester and JSON JMESPath Tester are missing in <code>view.results.tree.renderers_order</code> property</li>
</ul>
<h3>Timers, Assertions, Config, Pre- & Post-Processors</h3>
@@ -181,20 +155,10 @@ Summary
<h3>Documentation</h3>
<ul>
- <li><bug>64960</bug>Change scheduler reference in Thread Group documentation. Contributed by Ori Marko</li>
- <li><bug>65006</bug>Illustration for completed HTTP Request Defaults element (Figure 4.4) contains misleading info</li>
</ul>
<h3>General</h3>
<ul>
- <li><bug>64957</bug>When importing example test plan JMeter displays an NullPointerException</li>
- <li><bug>64961</bug>Darklaf: On Windows 7, NPE in BasicEditorPaneUI.cleanDisplayProperties with Darklaf Intellij</li>
- <li><bug>64963</bug>Blank comment tooltip is visible</li>
- <li><bug>64969</bug>RemoteJMeterEngineImpl#rexit doesn't unexport RemoteJMeterEngineImpl on exit. Contributed by luo_isaiah at qq.com</li>
- <li><bug>64984</bug>Darklaf LAF: Selecting a Test element does not work under certain screen resolutions on Windows. With the help of Jannis Weis</li>
- <li><bug>65008</bug>SampleResult.setIgnore() called from PostProcessor is not considered</li>
- <li><bug>64993</bug>Daklaf LAF: Menu navigation not working with keyboard shortcuts. With the help of Jannis Weis</li>
- <li><bug>65013</bug>POST multipart/form-data cURL code with quoted arguments is not imported correctly</li>
</ul>
<!-- =================== Thanks =================== -->
@@ -203,10 +167,6 @@ Summary
<p>We thank all contributors mentioned in bug and improvement sections above:
</p>
<ul>
- <li>Ori Marko (orimarko at gmail.com)</li>
- <li>罗寅卓 (luo_isaiah at qq.com)</li>
- <li><a href="https://ubikloadpack.com" >Ubik Load Pack</a></li>
- <li><a href="https://github.com/weisJ/darklaf">Jannis Weis</a></li>
</ul>
<p>We also thank bug reporters who helped us improve JMeter.</p>
<ul>