You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by GitBox <gi...@apache.org> on 2021/10/21 10:58:37 UTC

[GitHub] [jmeter] sseide opened a new pull request #675: update x-stream to 1.4.18 (from 1.4.17)

sseide opened a new pull request #675:
URL: https://github.com/apache/jmeter/pull/675


   ## Description
   The latest update to xstream 1.4.18 contains fixes for 14 CVE (http://x-stream.github.io/changes.html)
   
   ## Motivation and Context
   Up to version 1.4.17 (before this update) xstream used an internal blacklist to block potential security threads on class (de)serialisation. With this new version they changed to an internal whitelist to allow safe operations only.
   
   BUT - jmeter initalizes xstream with an empty security framework (no white/blacklist at all) in JMeterUtils.java
   (https://github.com/apache/jmeter/blob/5f1995de244986c820ed47028ceedf9167004673/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java#L1274:L1280), therefore i think the internal change in xstream does not change anything for jmeter.
   
   On the other hand i am not really shure about the security implications of running without a list at all and if theses fixes really help...
   Someone with a deeper understanding of jmeters usage of xstream should check where the serialisation is used and where the objects to searialize/unserialize came from (external/network or only internal).
   
   ## How Has This Been Tested?
   `gradlew check` runs without problem and used it for nearly 2 months ourself without any problem.
   
   ## Screenshots (if appropriate):
   
   ## Types of changes
   - Bug fix (non-breaking change which fixes an issue)
   
   ## Checklist:
   <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
   <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
   - [x] My code follows the [code style][style-guide] of this project.
   - [x] I have updated the documentation accordingly.
   
   [style-guide]: https://wiki.apache.org/jmeter/CodeStyleGuidelines
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] sseide commented on pull request #675: update x-stream to 1.4.18 (from 1.4.17)

Posted by GitBox <gi...@apache.org>.
sseide commented on pull request #675:
URL: https://github.com/apache/jmeter/pull/675#issuecomment-1006606440


   no - it does not seems so.
   @milamberspace startet the current release branched directly after 5.4.1 was released and fixed only the log4j issues with the newer releases 5.4.2 and 5.4.3. Nothing else.
   
   All other updates (like the xstream one) are not released by now. Maybe Felix Schumacher or Milamber can say something about the next planned release 5.5. This one is nearly finished it seems looking at the commit history...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] johnynfulleffect commented on pull request #675: update x-stream to 1.4.18 (from 1.4.17)

Posted by GitBox <gi...@apache.org>.
johnynfulleffect commented on pull request #675:
URL: https://github.com/apache/jmeter/pull/675#issuecomment-1006583276


   @sseide @FSchumacher Just curious if this made it into any tags?  I am seeing this vulnerability in my scans of my docker image when using `rel/v5.4.3`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] asfgit closed pull request #675: update x-stream to 1.4.18 (from 1.4.17)

Posted by GitBox <gi...@apache.org>.
asfgit closed pull request #675:
URL: https://github.com/apache/jmeter/pull/675


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [jmeter] FSchumacher commented on pull request #675: update x-stream to 1.4.18 (from 1.4.17)

Posted by GitBox <gi...@apache.org>.
FSchumacher commented on pull request #675:
URL: https://github.com/apache/jmeter/pull/675#issuecomment-952198861


   Thanks for the PR


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jmeter.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org