You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@jmeter.apache.org by root <bu...@apache.org> on 2019/02/14 11:41:28 UTC
[Bug 63175] New: Please update dependency of slf4j (CVE-2018-8088)
https://bz.apache.org/bugzilla/show_bug.cgi?id=63175
Bug ID: 63175
Summary: Please update dependency of slf4j (CVE-2018-8088)
Product: JMeter
Version: 5.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Main
Assignee: issues@jmeter.apache.org
Reporter: stefan@trilobyte-se.de
Target Milestone: JMETER_5.2
Due to some security problems in currently used slf4j 1.7.25 an update to
current 1.8.0 should be considered. Even if its flagged as beta3 right now.
Problem CVE-2018-8088 -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
I have not checked if it is possible for users (test plan creators) to exploit
this bug via JSR223 Sampler/Processors etc. with custom log messages or if
these data may be feed into JMeter via different ways but at least this risk
should be evaluated and mitigated by updating slf4j.
Thanks,
Stefan Seide
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63175
Philippe Mouawad <p....@ubik-ingenierie.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63175
Philippe Mouawad <p....@ubik-ingenierie.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |p.mouawad@ubik-ingenierie.c
| |om
Target Milestone|JMETER_5.2 |JMETER_5.1
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63175
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED
--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
The CVE is about slf4j-ext, which is dropped already from our dependencies in
trunk and will be removed with JMeter version 5.1 which is currently voted on.
*** This bug has been marked as a duplicate of bug 63090 ***
--
You are receiving this mail because:
You are the assignee for the bug.