You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jmeter.apache.org by mi...@apache.org on 2021/12/23 16:51:08 UTC
[jmeter] branch fix-CVE-2021-45105 updated: prepare new version 5.4.3, update changes pages
This is an automated email from the ASF dual-hosted git repository.
milamber pushed a commit to branch fix-CVE-2021-45105
in repository https://gitbox.apache.org/repos/asf/jmeter.git
The following commit(s) were added to refs/heads/fix-CVE-2021-45105 by this push:
new b01f761 prepare new version 5.4.3, update changes pages
b01f761 is described below
commit b01f761463d7a3b7ee62230c5403e2da4970985e
Author: Milamber <mi...@apache.org>
AuthorDate: Thu Dec 23 17:51:02 2021 +0100
prepare new version 5.4.3, update changes pages
---
xdocs/changes.xml | 8 +-
xdocs/changes_history.xml | 497 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 501 insertions(+), 4 deletions(-)
diff --git a/xdocs/changes.xml b/xdocs/changes.xml
index 0736f2d..1bfabd6 100644
--- a/xdocs/changes.xml
+++ b/xdocs/changes.xml
@@ -41,13 +41,13 @@ Earlier changes are detailed in the <a href="changes_history.html">History of Pr
</note>
-<!-- =================== 5.4.2 =================== -->
+<!-- =================== 5.4.3 =================== -->
-<h1>Version 5.4.2</h1>
+<h1>Version 5.4.3</h1>
<p>
Summary
</p>
-<p>This version is a fix release against the vulnerability CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
+<p>This version is a fix release against the vulnerability CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
</p>
<ul>
<li><a href="#New and Noteworthy">New and Noteworthy</a></li>
@@ -114,7 +114,7 @@ Summary
<ch_section>Non-functional changes</ch_section>
<ul>
- <li>Updated Apache log4j2 to 2.16.0 (from 2.13.3).</li>
+ <li>Updated Apache Log4j2 to 2.17.0 (from 2.16.0).</li>
</ul>
<!-- =================== Bug fixes =================== -->
diff --git a/xdocs/changes_history.xml b/xdocs/changes_history.xml
index 5913567..6fcd2bd 100644
--- a/xdocs/changes_history.xml
+++ b/xdocs/changes_history.xml
@@ -41,6 +41,503 @@ Current changes are detailed in <a href="changes.html">Changes</a>.
<p><b>Changes sections are chronologically ordered from top (most recent) to bottom
(least recent)</b></p>
+<!-- =================== 5.4.2 =================== -->
+
+<h1>Version 5.4.2</h1>
+<p>
+Summary
+</p>
+<p>This version is a fix release against the vulnerability CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
+</p>
+<ul>
+<li><a href="#New and Noteworthy">New and Noteworthy</a></li>
+<li><a href="#Incompatible changes">Incompatible changes</a></li>
+<li><a href="#Bug fixes">Bug fixes</a></li>
+<li><a href="#Improvements">Improvements</a></li>
+<li><a href="#Non-functional changes">Non-functional changes</a></li>
+<li><a href="#Known problems and workarounds">Known problems and workarounds</a></li>
+<li><a href="#Thanks">Thanks</a></li>
+
+</ul>
+
+<ch_section>New and Noteworthy</ch_section>
+<!--
+<ch_title>Core improvements</ch_title>
+<ch_title>Test Plan</ch_title>
+<ch_title>Scripting / Debugging enhancements</ch_title>
+<ch_title>Functions</ch_title>
+-->
+<ch_title>UX improvements</ch_title>
+
+<!-- =================== Incompatible changes =================== -->
+
+<ch_section>Incompatible changes</ch_section>
+<!-- =================== Improvements =================== -->
+
+<ch_section>Improvements</ch_section>
+
+<h3>HTTP Samplers and Test Script Recorder</h3>
+<ul>
+</ul>
+
+<h3>Other samplers</h3>
+<ul>
+</ul>
+
+<h3>Controllers</h3>
+<ul>
+</ul>
+
+<h3>Listeners</h3>
+<ul>
+</ul>
+
+<h3>Timers, Assertions, Config, Pre- & Post-Processors</h3>
+<ul>
+</ul>
+
+<h3>Functions</h3>
+<ul>
+</ul>
+
+<h3>I18N</h3>
+<ul>
+</ul>
+
+<h3>Report / Dashboard</h3>
+<ul>
+</ul>
+
+<h3>General</h3>
+<ul>
+</ul>
+
+<ch_section>Non-functional changes</ch_section>
+<ul>
+ <li>Updated Apache log4j2 to 2.16.0 (from 2.13.3).</li>
+</ul>
+
+ <!-- =================== Bug fixes =================== -->
+
+<ch_section>Bug fixes</ch_section>
+
+<h3>HTTP Samplers and Test Script Recorder</h3>
+<ul>
+</ul>
+
+<h3>Other Samplers</h3>
+<ul>
+</ul>
+
+<h3>Controllers</h3>
+<ul>
+</ul>
+
+<h3>Listeners</h3>
+<ul>
+</ul>
+
+<h3>Timers, Assertions, Config, Pre- & Post-Processors</h3>
+<ul>
+</ul>
+
+<h3>Functions</h3>
+<ul>
+</ul>
+
+<h3>I18N</h3>
+<ul>
+</ul>
+
+<h3>Report / Dashboard</h3>
+<ul>
+</ul>
+
+<h3>Documentation</h3>
+<ul>
+</ul>
+
+<h3>General</h3>
+<ul>
+</ul>
+
+ <!-- =================== Thanks =================== -->
+
+<ch_section>Thanks</ch_section>
+<p>We thank all contributors mentioned in bug and improvement sections above:
+</p>
+<ul>
+</ul>
+<p>We also thank bug reporters who helped us improve JMeter.</p>
+<ul>
+</ul>
+<p>
+Apologies if we have omitted anyone else.
+</p>
+ <!-- =================== Known bugs or issues related to JAVA Bugs =================== -->
+
+<ch_section>Known problems and workarounds</ch_section>
+<ul>
+<li>The Once Only controller behaves correctly under a Thread Group or Loop Controller,
+but otherwise its behaviour is not consistent (or clearly specified).</li>
+
+<li>
+The numbers that appear to the left of the green box are the number of active threads / total number of threads,
+the total number of threads only applies to a locally run test, otherwise it will show <code>0</code> (see <bugzilla>55510</bugzilla>).
+</li>
+
+<li>
+Note that under some windows systems you may have this WARNING:
+<source>
+java.util.prefs.WindowsPreferences
+WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at root 0
+x80000002. Windows RegCreateKeyEx(…) returned error code 5.
+</source>
+The fix is to run JMeter as Administrator, it will create the registry key for you, then you can restart JMeter as a normal user and you won't have the warning anymore.
+</li>
+
+<li>
+You may encounter the following error:
+<source>java.security.cert.CertificateException: Certificates does not conform to algorithm constraints</source>
+ if you run a HTTPS request on a web site with a SSL certificate (itself or one of SSL certificates in its chain of trust) with a signature
+ algorithm using MD2 (like <code>md2WithRSAEncryption</code>) or with a SSL certificate with a size lower than 1024 bits.
+This error is related to increased security in Java 8+.
+<br></br>
+To allow you to perform your HTTPS request, you can downgrade the security of your Java installation by editing
+the Java <code>jdk.certpath.disabledAlgorithms</code> property. Remove the MD2 value or the constraint on size, depending on your case.
+<br></br>
+This property is in this file:
+<source>JAVA_HOME/jre/lib/security/java.security</source>
+See <bugzilla>56357</bugzilla> for details.
+</li>
+
+<li>
+Under Mac OSX Aggregate Graph will show wrong values due to mirroring effect on numbers.
+This is due to a known Java bug, see Bug <a href="https://bugs.openjdk.java.net/browse/JDK-8065373" >JDK-8065373</a>
+The fix is to use JDK8_u45 or later.
+</li>
+
+<li>
+View Results Tree may fail to display some HTML code under HTML renderer, see <bugzilla>54586</bugzilla>.
+This is due to a known Java bug which fails to parse "<code>px</code>" units in row/col attributes.
+See Bug <a href="https://bugs.openjdk.java.net/browse/JDK-8031109" >JDK-8031109</a>
+The fix is to use JDK9 b65 or later.
+</li>
+
+<li>
+JTable selection with keyboard (<keycombo><keysym>SHIFT</keysym><keysym>up/down</keysym></keycombo>) is totally unusable with Java 7 on Mac OSX.
+This is due to a known Java bug <a href="https://bugs.openjdk.java.net/browse/JDK-8025126" >JDK-8025126</a>
+The fix is to use JDK 8 b132 or later.
+</li>
+
+<li>
+Since Java 11 the JavaScript implementation <a href="https://openjdk.java.net/jeps/335">Nashorn has been deprecated</a>.
+Java will emit the following deprecation warnings, if you are using JavaScript based on Nashorn.
+<source>
+Warning: Nashorn engine is planned to be removed from a future JDK release
+</source>
+To silence these warnings, add <code>-Dnashorn.args=--no-deprecation-warning</code> to your Java arguments.
+That can be achieved by setting the enviroment variable <code>JVM_ARGS</code>
+<source>
+export JVM_ARGS="-Dnashorn.args=--no-deprecation-warning"
+</source>
+</li>
+
+<li>
+With Java 15 the JavaScript implementation <a href="https://openjdk.java.net/jeps/372">Nashorn has been removed</a>. To add back a JSR-223 compatible JavaScript engine you have two options:
+ <dl>
+ <dt>Use Mozilla Rhino</dt>
+ <dd>Copy <a href="https://github.com/mozilla/rhino/releases/download/Rhino1_7_13_Release/rhino-engine-1.7.13.jar">rhino-engine-1.7.13.jar</a> into <code>$JMETER_HOME/lib/ext</code>.</dd>
+ <dt>Use OpenJDK Nashorn</dt>
+ <dd>
+ The OpenJDK Nashorn implementation comes as a module. To use it, you will have to download it and add it to the module path. A hacky way to download the version 15.0 and its dependencies and set the module path is outlined below:
+ <source>
+mkdir lib/modules
+pushd lib/modules
+wget https://repo1.maven.org/maven2/org/openjdk/nashorn/nashorn-core/15.0/nashorn-core-15.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm/9.0/asm-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-commons/9.0/asm-commons-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-util/9.0/asm-util-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-tree/9.0/asm-tree-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-analysis/9.0/asm-analysis-9.0.jar
+popd
+export JVM_ARGS="--modulepath $PWD/lib/modules"
+./bin/jmeter
+ </source>
+ </dd>
+ </dl>
+</li>
+
+</ul>
+
+<!-- =================== 5.4.1 =================== -->
+
+<h1>Version 5.4.1</h1>
+<p>
+Summary
+</p>
+<ul>
+<li><a href="#New and Noteworthy">New and Noteworthy</a></li>
+<li><a href="#Incompatible changes">Incompatible changes</a></li>
+<li><a href="#Bug fixes">Bug fixes</a></li>
+<li><a href="#Improvements">Improvements</a></li>
+<li><a href="#Non-functional changes">Non-functional changes</a></li>
+<li><a href="#Known problems and workarounds">Known problems and workarounds</a></li>
+<li><a href="#Thanks">Thanks</a></li>
+
+</ul>
+
+<ch_section>New and Noteworthy</ch_section>
+<!--
+<ch_title>Core improvements</ch_title>
+<ch_title>Test Plan</ch_title>
+<ch_title>Scripting / Debugging enhancements</ch_title>
+<ch_title>Functions</ch_title>
+-->
+<ch_title>UX improvements</ch_title>
+
+<!-- =================== Incompatible changes =================== -->
+
+<ch_section>Incompatible changes</ch_section>
+<ul>
+ <li>Restart after LAF change has been reinstated, it had been removed in JMeter 5.3</li>
+</ul>
+<!-- =================== Improvements =================== -->
+
+<ch_section>Improvements</ch_section>
+
+<h3>HTTP Samplers and Test Script Recorder</h3>
+<ul>
+</ul>
+
+<h3>Other samplers</h3>
+<ul>
+</ul>
+
+<h3>Controllers</h3>
+<ul>
+</ul>
+
+<h3>Listeners</h3>
+<ul>
+</ul>
+
+<h3>Timers, Assertions, Config, Pre- & Post-Processors</h3>
+<ul>
+</ul>
+
+<h3>Functions</h3>
+<ul>
+</ul>
+
+<h3>I18N</h3>
+<ul>
+</ul>
+
+<h3>Report / Dashboard</h3>
+<ul>
+</ul>
+
+<h3>General</h3>
+<ul>
+ <li><bug>65028</bug>Add documentation for the property <code>client.rmi.localport</code></li>
+ <li><bug>65012</bug>Better handling of displaying long comments in the GUI</li>
+</ul>
+
+<ch_section>Non-functional changes</ch_section>
+<ul>
+ <li>Updated SaxonHE to 9.9.1-8 (from 9.9.1-7)</li>
+ <li>Updated asm to 9.0 (from 7.3.1)</li>
+ <li>Updated bouncycastle to 1.67 (from 1.66)</li>
+ <li>Updated caffeine to 2.8.8 (from 2.8.0)</li>
+ <li>Updated commons-codec to 1.15 (from 1.14)</li>
+ <li>Updated commons-io to 2.8.0 (from 2.7)</li>
+ <li>Updated commons-net to 3.7.2 (from 3.7)</li>
+ <li>Updated jackson to 2.10.5 (from 2.10.3)</li>
+ <li>Updated junit to 4.13.1 (from 4.13)</li>
+ <li>Updated ph-commons to 9.5.1 (from 9.4.1)</li>
+ <li>Updated ph-css to 6.2.3 (from 6.2.1)</li>
+ <li>Updated groovy to 3.0.7 (from 3.0.5)</li>
+ <li>Updated xstream to 1.4.15 (from 1.4.14)</li>
+</ul>
+
+ <!-- =================== Bug fixes =================== -->
+
+<ch_section>Bug fixes</ch_section>
+
+<h3>HTTP Samplers and Test Script Recorder</h3>
+<ul>
+ <li><bug>64955</bug>Keystore password not reset on reload</li>
+ <li><bug>65002</bug>HTTP(S) Test Script recorder creates an invalid Basic authentication URL. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li>
+ <li><bug>65004</bug>HTTP(S) Test Script recorder computes wrong HTTP Request breaking the application. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li>
+ <li><bug>64543</bug>On MacOSX, Darklaf- IntelliJ Theme throws NPE in javax.swing.ToolTipManager.initiateToolTip</li>
+ <li><bug>65024</bug>Sending mime type with parameter throws IllegalArgumentException</li>
+ <li><bug>65029</bug>Try harder to correctly guess the URL for applets, when download embedded URLs is enabled</li>
+</ul>
+
+<h3>Other Samplers</h3>
+<ul>
+ <li><bug>65034</bug>Ignore <code>SocketTimeoutException</code> on <code>BinaryTCPClientImpl</code>, when no EOM Byte is set. Regression
+ introduced by commit c190641e4f0474a34a366a72364b0a8dd25bfc81 which fixed <bug>52104</bug>. That bug was bout handling
+ the case of waiting for an EOM.</li>
+</ul>
+
+<h3>Controllers</h3>
+<ul>
+</ul>
+
+<h3>Listeners</h3>
+<ul>
+ <li><bug>64821</bug>When importing XML formatted jtl files, sub samplers will get renamed</li>
+ <li><bug>65052</bug>XPath2 Tester and JSON JMESPath Tester are missing in <code>view.results.tree.renderers_order</code> property</li>
+</ul>
+
+<h3>Timers, Assertions, Config, Pre- & Post-Processors</h3>
+<ul>
+</ul>
+
+<h3>Functions</h3>
+<ul>
+</ul>
+
+<h3>I18N</h3>
+<ul>
+</ul>
+
+<h3>Report / Dashboard</h3>
+<ul>
+</ul>
+
+<h3>Documentation</h3>
+<ul>
+ <li><bug>64960</bug>Change scheduler reference in Thread Group documentation. Contributed by Ori Marko</li>
+ <li><bug>65006</bug>Illustration for completed HTTP Request Defaults element (Figure 4.4) contains misleading info</li>
+</ul>
+
+<h3>General</h3>
+<ul>
+ <li><bug>64957</bug>When importing example test plan JMeter displays an NullPointerException</li>
+ <li><bug>64961</bug>Darklaf: On Windows 7, NPE in BasicEditorPaneUI.cleanDisplayProperties with Darklaf Intellij</li>
+ <li><bug>64963</bug>Blank comment tooltip is visible</li>
+ <li><bug>64969</bug>RemoteJMeterEngineImpl#rexit doesn't unexport RemoteJMeterEngineImpl on exit. Contributed by luo_isaiah at qq.com</li>
+ <li><bug>64984</bug>Darklaf LAF: Selecting a Test element does not work under certain screen resolutions on Windows. With the help of Jannis Weis</li>
+ <li><bug>65008</bug>SampleResult.setIgnore() called from PostProcessor is not considered</li>
+ <li><bug>64993</bug>Daklaf LAF: Menu navigation not working with keyboard shortcuts. With the help of Jannis Weis</li>
+ <li><bug>65013</bug>POST multipart/form-data cURL code with quoted arguments is not imported correctly</li>
+</ul>
+
+ <!-- =================== Thanks =================== -->
+
+<ch_section>Thanks</ch_section>
+<p>We thank all contributors mentioned in bug and improvement sections above:
+</p>
+<ul>
+ <li>Ori Marko (orimarko at gmail.com)</li>
+ <li>罗寅卓 (luo_isaiah at qq.com)</li>
+ <li><a href="https://ubikloadpack.com" >Ubik Load Pack</a></li>
+ <li><a href="https://github.com/weisJ/darklaf">Jannis Weis</a></li>
+</ul>
+<p>We also thank bug reporters who helped us improve JMeter.</p>
+<ul>
+</ul>
+<p>
+Apologies if we have omitted anyone else.
+</p>
+ <!-- =================== Known bugs or issues related to JAVA Bugs =================== -->
+
+<ch_section>Known problems and workarounds</ch_section>
+<ul>
+<li>The Once Only controller behaves correctly under a Thread Group or Loop Controller,
+but otherwise its behaviour is not consistent (or clearly specified).</li>
+
+<li>
+The numbers that appear to the left of the green box are the number of active threads / total number of threads,
+the total number of threads only applies to a locally run test, otherwise it will show <code>0</code> (see <bugzilla>55510</bugzilla>).
+</li>
+
+<li>
+Note that under some windows systems you may have this WARNING:
+<source>
+java.util.prefs.WindowsPreferences
+WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at root 0
+x80000002. Windows RegCreateKeyEx(…) returned error code 5.
+</source>
+The fix is to run JMeter as Administrator, it will create the registry key for you, then you can restart JMeter as a normal user and you won't have the warning anymore.
+</li>
+
+<li>
+You may encounter the following error:
+<source>java.security.cert.CertificateException: Certificates does not conform to algorithm constraints</source>
+ if you run a HTTPS request on a web site with a SSL certificate (itself or one of SSL certificates in its chain of trust) with a signature
+ algorithm using MD2 (like <code>md2WithRSAEncryption</code>) or with a SSL certificate with a size lower than 1024 bits.
+This error is related to increased security in Java 8+.
+<br></br>
+To allow you to perform your HTTPS request, you can downgrade the security of your Java installation by editing
+the Java <code>jdk.certpath.disabledAlgorithms</code> property. Remove the MD2 value or the constraint on size, depending on your case.
+<br></br>
+This property is in this file:
+<source>JAVA_HOME/jre/lib/security/java.security</source>
+See <bugzilla>56357</bugzilla> for details.
+</li>
+
+<li>
+Under Mac OSX Aggregate Graph will show wrong values due to mirroring effect on numbers.
+This is due to a known Java bug, see Bug <a href="https://bugs.openjdk.java.net/browse/JDK-8065373" >JDK-8065373</a>
+The fix is to use JDK8_u45 or later.
+</li>
+
+<li>
+View Results Tree may fail to display some HTML code under HTML renderer, see <bugzilla>54586</bugzilla>.
+This is due to a known Java bug which fails to parse "<code>px</code>" units in row/col attributes.
+See Bug <a href="https://bugs.openjdk.java.net/browse/JDK-8031109" >JDK-8031109</a>
+The fix is to use JDK9 b65 or later.
+</li>
+
+<li>
+JTable selection with keyboard (<keycombo><keysym>SHIFT</keysym><keysym>up/down</keysym></keycombo>) is totally unusable with Java 7 on Mac OSX.
+This is due to a known Java bug <a href="https://bugs.openjdk.java.net/browse/JDK-8025126" >JDK-8025126</a>
+The fix is to use JDK 8 b132 or later.
+</li>
+
+<li>
+Since Java 11 the JavaScript implementation <a href="https://openjdk.java.net/jeps/335">Nashorn has been deprecated</a>.
+Java will emit the following deprecation warnings, if you are using JavaScript based on Nashorn.
+<source>
+Warning: Nashorn engine is planned to be removed from a future JDK release
+</source>
+To silence these warnings, add <code>-Dnashorn.args=--no-deprecation-warning</code> to your Java arguments.
+That can be achieved by setting the enviroment variable <code>JVM_ARGS</code>
+<source>
+export JVM_ARGS="-Dnashorn.args=--no-deprecation-warning"
+</source>
+</li>
+
+<li>
+With Java 15 the JavaScript implementation <a href="https://openjdk.java.net/jeps/372">Nashorn has been removed</a>. To add back a JSR-223 compatible JavaScript engine you have two options:
+ <dl>
+ <dt>Use Mozilla Rhino</dt>
+ <dd>Copy <a href="https://github.com/mozilla/rhino/releases/download/Rhino1_7_13_Release/rhino-engine-1.7.13.jar">rhino-engine-1.7.13.jar</a> into <code>$JMETER_HOME/lib/ext</code>.</dd>
+ <dt>Use OpenJDK Nashorn</dt>
+ <dd>
+ The OpenJDK Nashorn implementation comes as a module. To use it, you will have to download it and add it to the module path. A hacky way to download the version 15.0 and its dependencies and set the module path is outlined below:
+ <source>
+mkdir lib/modules
+pushd lib/modules
+wget https://repo1.maven.org/maven2/org/openjdk/nashorn/nashorn-core/15.0/nashorn-core-15.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm/9.0/asm-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-commons/9.0/asm-commons-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-util/9.0/asm-util-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-tree/9.0/asm-tree-9.0.jar
+wget https://repo1.maven.org/maven2/org/ow2/asm/asm-analysis/9.0/asm-analysis-9.0.jar
+popd
+export JVM_ARGS="--modulepath $PWD/lib/modules"
+./bin/jmeter
+ </source>
+ </dd>
+ </dl>
+</li>
+
+</ul>
<!-- =================== 5.4 =================== -->
<h1>Version 5.4</h1>