Hello, We've just released version 0.16.0 of the jmx_exporter ( https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.16.0)
*Update SnakeYAML Dependency Version (#592 <https://github.com/prometheus/jmx_exporter/issues/592>)* Starting with version 0.16.0, the Java agent is released in two versions: - jmx_prometheus_javaagent-0.16.0.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.16.0/jmx_prometheus_javaagent-0.16.0.jar> requires Java >= 7. - jmx_prometheus_javaagent-0.16.0_java6.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.16.0/jmx_prometheus_javaagent_java6-0.16.0.jar> is compatible with Java 6. Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml <https://bitbucket.org/asomov/snakeyaml/wiki/Home> dependency. jmx_exporter uses the snakeyaml library to read the YAML configuration file. Snakeyaml 1.23 is the last release to support Java 6 <https://bitbucket.org/asomov/snakeyaml/wiki/Changes>. This version is affected by CVE-2017-18640 <https://nvd.nist.gov/vuln/detail/CVE-2017-18640>, which can cause snakeyaml to execute arbitrary code if the YAML file comes from an untrusted source. This vulnerability does not apply in the context of jmx_exporter, because the agent configuration does not come from an untrusted source. However, even if there is no actual security risk, users find it annoying that their automated security scans report a CVE. In order to prevent this we published a version with an updated snakeyaml dependency that requires Java >= 7. * Other Changes * - [BUGFIX] Leverages the interpolated help when the matching rule is cached (fixes #612 <https://github.com/prometheus/jmx_exporter/issues/612>) (#613 <https://github.com/prometheus/jmx_exporter/pull/613>) - [ENHANCEMENT] Automated integration tests of different Java versions using Testcontainers <https://www.testcontainers.org/>. Docker needs to be installed on a system in order to run ./mvnw verify. - [ENHANCEMENT] Bump logback-classic version (#617 <https://github.com/prometheus/jmx_exporter/pull/617>) - [ENHANCEMENT] Update to client_java 0.11.0 - [ENHANCEMENT] added support for java.util.Optional (the SonarQube maintainers had this weird idea of an Optional<Long> property in an MBean) Fabian -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/bb2505b0-37fc-457c-9a4d-d4730fc95a79n%40googlegroups.com.
