You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@jmeter.apache.org by root <bu...@apache.org> on 2019/02/14 11:41:28 UTC

[Bug 63175] New: Please update dependency of slf4j (CVE-2018-8088)

https://bz.apache.org/bugzilla/show_bug.cgi?id=63175

            Bug ID: 63175
           Summary: Please update dependency of slf4j (CVE-2018-8088)
           Product: JMeter
           Version: 5.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Main
          Assignee: issues@jmeter.apache.org
          Reporter: stefan@trilobyte-se.de
  Target Milestone: JMETER_5.2

Due to some security problems in currently used slf4j 1.7.25 an update to
current 1.8.0 should be considered. Even if its flagged as beta3 right now.

Problem CVE-2018-8088 -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088

I have not checked if it is possible for users (test plan creators) to exploit
this bug via JSR223 Sampler/Processors etc. with custom log messages or if
these data may be feed into JMeter via different ways but at least this risk
should be evaluated and mitigated by updating slf4j.

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63175

Philippe Mouawad <p....@ubik-ingenierie.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63175

Philippe Mouawad <p....@ubik-ingenierie.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |p.mouawad@ubik-ingenierie.c
                   |                            |om
   Target Milestone|JMETER_5.2                  |JMETER_5.1

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63175] Please update dependency of slf4j (CVE-2018-8088)

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63175

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
The CVE is about slf4j-ext, which is dropped already from our dependencies in
trunk and will be removed with JMeter version 5.1 which is currently voted on.

*** This bug has been marked as a duplicate of bug 63090 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.