This is an automated email from the ASF dual-hosted git repository. milamber pushed a commit to branch fix-CVE-2021-44228 in repository https://gitbox.apache.org/repos/asf/jmeter.git
commit fca416257af9dc42c2ad6be0767337d7444eb9c4 Author: Milamber <[email protected]> AuthorDate: Wed Dec 15 13:00:12 2021 +0100 Update log4j2 to 2.16.0 to fix CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints --- gradle.properties | 2 +- src/dist/src/dist/expected_release_jars.csv | 8 ++--- xdocs/changes.xml | 50 +++-------------------------- 3 files changed, 10 insertions(+), 50 deletions(-) diff --git a/gradle.properties b/gradle.properties index f9f3402..8dfd113 100644 --- a/gradle.properties +++ b/gradle.properties @@ -106,7 +106,7 @@ jsoup.version=1.13.1 jtidy.version=r938 junit4.version=4.13.1 junit5.version=5.7.0 -log4j.version=2.13.3 +log4j.version=2.16.0 mail.version=1.5.0-b01 miglayout.version=5.2 mina-core.version=2.0.19 diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index a9943ff..eab7c50 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -68,10 +68,10 @@ 249924,jtidy-r938.jar 382708,junit-4.13.1.jar 48483,jxlayer-3.0.4.jar -201685,log4j-1.2-api-2.13.3.jar -292301,log4j-api-2.13.3.jar -1714164,log4j-core-2.13.3.jar -23590,log4j-slf4j-impl-2.13.3.jar +207909,log4j-1.2-api-2.16.0.jar +301892,log4j-api-2.16.0.jar +1789565,log4j-core-2.16.0.jar +24258,log4j-slf4j-impl-2.16.0.jar 519087,mail-1.5.0-b01.jar 106939,miglayout-core-5.2.jar 22390,miglayout-swing-5.2.jar diff --git a/xdocs/changes.xml b/xdocs/changes.xml index 6b65c62..0736f2d 100644 --- a/xdocs/changes.xml +++ b/xdocs/changes.xml @@ -41,12 +41,14 @@ Earlier changes are detailed in the <a href="changes_history.html">History of Pr </note> -<!-- =================== 5.4.1 =================== --> +<!-- =================== 5.4.2 =================== --> -<h1>Version 5.4.1</h1> +<h1>Version 5.4.2</h1> <p> Summary </p> +<p>This version is a fix release against the vulnerability CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. +</p> <ul> <li><a href="#New and Noteworthy">New and Noteworthy</a></li> <li><a href="#Incompatible changes">Incompatible changes</a></li> @@ -70,9 +72,6 @@ Summary <!-- =================== Incompatible changes =================== --> <ch_section>Incompatible changes</ch_section> -<ul> - <li>Restart after LAF change has been reinstated, it had been removed in JMeter 5.3</li> -</ul> <!-- =================== Improvements =================== --> <ch_section>Improvements</ch_section> @@ -111,25 +110,11 @@ Summary <h3>General</h3> <ul> - <li><bug>65028</bug>Add documentation for the property <code>client.rmi.localport</code></li> - <li><bug>65012</bug>Better handling of displaying long comments in the GUI</li> </ul> <ch_section>Non-functional changes</ch_section> <ul> - <li>Updated SaxonHE to 9.9.1-8 (from 9.9.1-7)</li> - <li>Updated asm to 9.0 (from 7.3.1)</li> - <li>Updated bouncycastle to 1.67 (from 1.66)</li> - <li>Updated caffeine to 2.8.8 (from 2.8.0)</li> - <li>Updated commons-codec to 1.15 (from 1.14)</li> - <li>Updated commons-io to 2.8.0 (from 2.7)</li> - <li>Updated commons-net to 3.7.2 (from 3.7)</li> - <li>Updated jackson to 2.10.5 (from 2.10.3)</li> - <li>Updated junit to 4.13.1 (from 4.13)</li> - <li>Updated ph-commons to 9.5.1 (from 9.4.1)</li> - <li>Updated ph-css to 6.2.3 (from 6.2.1)</li> - <li>Updated groovy to 3.0.7 (from 3.0.5)</li> - <li>Updated xstream to 1.4.15 (from 1.4.14)</li> + <li>Updated Apache log4j2 to 2.16.0 (from 2.13.3).</li> </ul> <!-- =================== Bug fixes =================== --> @@ -138,19 +123,10 @@ Summary <h3>HTTP Samplers and Test Script Recorder</h3> <ul> - <li><bug>64955</bug>Keystore password not reset on reload</li> - <li><bug>65002</bug>HTTP(S) Test Script recorder creates an invalid Basic authentication URL. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li> - <li><bug>65004</bug>HTTP(S) Test Script recorder computes wrong HTTP Request breaking the application. Contributed by Ubik Load Pack (https://ubikloadpack.com)</li> - <li><bug>64543</bug>On MacOSX, Darklaf- IntelliJ Theme throws NPE in javax.swing.ToolTipManager.initiateToolTip</li> - <li><bug>65024</bug>Sending mime type with parameter throws IllegalArgumentException</li> - <li><bug>65029</bug>Try harder to correctly guess the URL for applets, when download embedded URLs is enabled</li> </ul> <h3>Other Samplers</h3> <ul> - <li><bug>65034</bug>Ignore <code>SocketTimeoutException</code> on <code>BinaryTCPClientImpl</code>, when no EOM Byte is set. Regression - introduced by commit c190641e4f0474a34a366a72364b0a8dd25bfc81 which fixed <bug>52104</bug>. That bug was bout handling - the case of waiting for an EOM.</li> </ul> <h3>Controllers</h3> @@ -159,8 +135,6 @@ Summary <h3>Listeners</h3> <ul> - <li><bug>64821</bug>When importing XML formatted jtl files, sub samplers will get renamed</li> - <li><bug>65052</bug>XPath2 Tester and JSON JMESPath Tester are missing in <code>view.results.tree.renderers_order</code> property</li> </ul> <h3>Timers, Assertions, Config, Pre- & Post-Processors</h3> @@ -181,20 +155,10 @@ Summary <h3>Documentation</h3> <ul> - <li><bug>64960</bug>Change scheduler reference in Thread Group documentation. Contributed by Ori Marko</li> - <li><bug>65006</bug>Illustration for completed HTTP Request Defaults element (Figure 4.4) contains misleading info</li> </ul> <h3>General</h3> <ul> - <li><bug>64957</bug>When importing example test plan JMeter displays an NullPointerException</li> - <li><bug>64961</bug>Darklaf: On Windows 7, NPE in BasicEditorPaneUI.cleanDisplayProperties with Darklaf Intellij</li> - <li><bug>64963</bug>Blank comment tooltip is visible</li> - <li><bug>64969</bug>RemoteJMeterEngineImpl#rexit doesn't unexport RemoteJMeterEngineImpl on exit. Contributed by luo_isaiah at qq.com</li> - <li><bug>64984</bug>Darklaf LAF: Selecting a Test element does not work under certain screen resolutions on Windows. With the help of Jannis Weis</li> - <li><bug>65008</bug>SampleResult.setIgnore() called from PostProcessor is not considered</li> - <li><bug>64993</bug>Daklaf LAF: Menu navigation not working with keyboard shortcuts. With the help of Jannis Weis</li> - <li><bug>65013</bug>POST multipart/form-data cURL code with quoted arguments is not imported correctly</li> </ul> <!-- =================== Thanks =================== --> @@ -203,10 +167,6 @@ Summary <p>We thank all contributors mentioned in bug and improvement sections above: </p> <ul> - <li>Ori Marko (orimarko at gmail.com)</li> - <li>罗寅卓 (luo_isaiah at qq.com)</li> - <li><a href="https://ubikloadpack.com"; >Ubik Load Pack</a></li> - <li><a href="https://github.com/weisJ/darklaf";>Jannis Weis</a></li> </ul> <p>We also thank bug reporters who helped us improve JMeter.</p> <ul>
