We've just released version 0.16.0 of the jmx_exporter (

*Update SnakeYAML Dependency Version (#592 

Starting with version 0.16.0, the Java agent is released in two versions:

   - jmx_prometheus_javaagent-0.16.0.jar 
   requires Java >= 7.
   - jmx_prometheus_javaagent-0.16.0_java6.jar 
   is compatible with Java 6.

Both versions are built from the same source files and have identical 
functionality. The only difference is the version of the included snakeyaml 
<https://bitbucket.org/asomov/snakeyaml/wiki/Home> dependency.

jmx_exporter uses the snakeyaml library to read the YAML configuration 
file. Snakeyaml 1.23 is the last release to support Java 6 
<https://bitbucket.org/asomov/snakeyaml/wiki/Changes>. This version is 
affected by CVE-2017-18640 <https://nvd.nist.gov/vuln/detail/CVE-2017-18640>, 
which can cause snakeyaml to execute arbitrary code if the YAML file comes 
from an untrusted source.

This vulnerability does not apply in the context of jmx_exporter, because 
the agent configuration does not come from an untrusted source. However, 
even if there is no actual security risk, users find it annoying that their 
automated security scans report a CVE. In order to prevent this we 
published a version with an updated snakeyaml dependency that requires Java 
>= 7.
* Other Changes *
   - [BUGFIX] Leverages the interpolated help when the matching rule is 
   cached (fixes #612 
   <https://github.com/prometheus/jmx_exporter/issues/612>) (#613 
   - [ENHANCEMENT] Automated integration tests of different Java versions 
   using Testcontainers <https://www.testcontainers.org/>. Docker needs to 
   be installed on a system in order to run ./mvnw verify.
   - [ENHANCEMENT] Bump logback-classic version (#617 
   - [ENHANCEMENT] Update to client_java 0.11.0
   - [ENHANCEMENT] added support for java.util.Optional (the SonarQube 
   maintainers had this weird idea of an Optional<Long> property in an 


You received this message because you are subscribed to the Google Groups 
"prometheus-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prometheus-announce+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 

Reply via email to