You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@jmeter.apache.org by bu...@apache.org on 2022/04/12 15:59:56 UTC
[Bug 66011] New: jmeter ships with a vulnerable version of spring
https://bz.apache.org/bugzilla/show_bug.cgi?id=66011
Bug ID: 66011
Summary: jmeter ships with a vulnerable version of spring
Product: JMeter
Version: 5.4.3
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Main
Assignee: issues@jmeter.apache.org
Reporter: rene@brandenburger.lu
Target Milestone: JMETER_5.5
jmeter references a vulnerable version of the sprint framework. My customer
blocks access to all vulnerable versions of spring thus making it imposible for
me to run jmeter from within the jmeter-maven-plugin (which downloads all
jmeter dependencies automagically).
When will there be a release using a safe version of spring framework (>=
5.3.18)
Regards
René
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66011] jmeter ships with a vulnerable version of spring
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66011
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
JMeter itself does not need Spring and is not bundled with it.
It is probably a dependency from ActiveMQ (which we include for testing JMS).
If you are on Java 9+ you can replace the bad jars following the documentation
of the jmeter maven plugins site:
https://github.com/jmeter-maven-plugin/jmeter-maven-plugin/wiki/Adding-Excluding-libraries-to-from-the-classpath
Questions on the usage of jmeter maven plugin, are better asked on their
forums.
--
You are receiving this mail because:
You are the assignee for the bug.