You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jmeter.apache.org by GitBox <gi...@apache.org> on 2022/11/03 19:22:00 UTC

[GitHub] [jmeter] sseide opened a new pull request, #5725: Fix multiple CVE

sseide opened a new pull request, #5725:
URL: https://github.com/apache/jmeter/pull/5725

   ## Description
   This patch updates some dependencies used to fix multiple security warnings found within these libraries or its dependencies.
   
   ## Motivation and Context
   
   * jsoup to 1.15.3 (fixes  CVE-2022-36033)
   * jackson to 2.13.4 and jackson-databind to 2.13.4.2 (fixes CVE-2022-42004, CVE-2022-42003)
   * tika-parsers to 1.28.5 (CVE-2022-33879 and for updated dependencies of jackson)
   
   Additionally i added the new GPG key for the jackson project and remove one old key
   that expired in 2016. The other key from jackson project expired just some months ago, so i 
   let it there. The new key is taken from the Jackson main repositories KEYS file (https://github.com/FasterXML/jackson/blob/master/KEYS)
   
   ## How Has This Been Tested?
   <!--- Please describe in detail how you tested your changes. -->
   <!--- Include details of your testing environment, tests ran to see how -->
   <!--- your change affects other areas of the code, etc. -->
   Tested ourself using jmeter with newer libraries and run `gradle check`
   
   ## Screenshots (if appropriate):
   
   ## Types of changes
   <!--- What types of changes does your code introduce? Delete as appropriate -->
   - Bug fix (non-breaking change which fixes an issue)
   
   ## Checklist:
   <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
   <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
   - [x] My code follows the [code style][style-guide] of this project.
   - [x] I have updated the documentation accordingly.
   
   [style-guide]: https://wiki.apache.org/jmeter/CodeStyleGuidelines
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] sseide commented on a diff in pull request #5725: Fix multiple CVE

Posted by GitBox <gi...@apache.org>.

sseide commented on code in PR #5725:
URL: https://github.com/apache/jmeter/pull/5725#discussion_r1055698487


##########
xdocs/changes.xml:
##########
@@ -105,6 +105,11 @@ Summary
   <li><pr>5710</pr>Add GitHub Issue templates</li>
   <li><pr>5713</pr>Update Spock to 2.2-groovy-3.0 (from 2.1-groovy-3.0)</li>
   <li><issue>5718</issue>Update Apache commons-text to 1.10.0 (from 1.9)</li>
+  <li><issue>5725</issue>Update Jackson Core to 2.13.4 (from 2.13.2)</li>

Review Comment:
   mmh, do not know how i missed that. Thanks for pointing out.
   
   btw - regenerating the checksum.xml file gradle added three dependencies from Kotlin too. I have not pushed them as  there are no changes in regard to this dependencies from my side. But it might be needed to re-evalute them.
   
   These are the "groups:modules" it want to add to checksums file:
   - group='io.github.microutils' module='kotlin-logging'
   - group='org.jetbrains.kotlinx' module='atomicfu'
   - group='org.jetbrains.kotlinx' module='kotlinx-coroutines-core'
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] sseide commented on pull request #5725: Fix multiple CVE

Posted by GitBox <gi...@apache.org>.

sseide commented on PR #5725:
URL: https://github.com/apache/jmeter/pull/5725#issuecomment-1362706441

   i added another update for commons-net to 3.9.0 fixing CVE-2021-37533.
   Tests running again without error.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] asfgit closed pull request #5725: Fix multiple CVE

Posted by GitBox <gi...@apache.org>.

asfgit closed pull request #5725: Fix multiple CVE
URL: https://github.com/apache/jmeter/pull/5725


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] sseide commented on pull request #5725: Fix multiple CVE

Posted by GitBox <gi...@apache.org>.

sseide commented on PR #5725:
URL: https://github.com/apache/jmeter/pull/5725#issuecomment-1370692923

   and updated xstream to 1.4.20 fixing CVE-2022-40151 and CVE-2022-41966
   local tests running again without problem.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] FSchumacher commented on a diff in pull request #5725: Fix multiple CVE

Posted by GitBox <gi...@apache.org>.

FSchumacher commented on code in PR #5725:
URL: https://github.com/apache/jmeter/pull/5725#discussion_r1055666279


##########
xdocs/changes.xml:
##########
@@ -105,6 +105,11 @@ Summary
   <li><pr>5710</pr>Add GitHub Issue templates</li>
   <li><pr>5713</pr>Update Spock to 2.2-groovy-3.0 (from 2.1-groovy-3.0)</li>
   <li><issue>5718</issue>Update Apache commons-text to 1.10.0 (from 1.9)</li>
+  <li><issue>5725</issue>Update Jackson Core to 2.13.4 (from 2.13.2)</li>

Review Comment:
   It probably doesn't matter much, but the correct markup for a pull request is `<pr>5725</pr>`.
   
   Apart from this, thanks for the well prepared PR.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org