sseide opened a new pull request #675: URL: https://github.com/apache/jmeter/pull/675
## Description The latest update to xstream 1.4.18 contains fixes for 14 CVE (http://x-stream.github.io/changes.html) ## Motivation and Context Up to version 1.4.17 (before this update) xstream used an internal blacklist to block potential security threads on class (de)serialisation. With this new version they changed to an internal whitelist to allow safe operations only. BUT - jmeter initalizes xstream with an empty security framework (no white/blacklist at all) in JMeterUtils.java (https://github.com/apache/jmeter/blob/5f1995de244986c820ed47028ceedf9167004673/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java#L1274:L1280), therefore i think the internal change in xstream does not change anything for jmeter. On the other hand i am not really shure about the security implications of running without a list at all and if theses fixes really help... Someone with a deeper understanding of jmeters usage of xstream should check where the serialisation is used and where the objects to searialize/unserialize came from (external/network or only internal). ## How Has This Been Tested? `gradlew check` runs without problem and used it for nearly 2 months ourself without any problem. ## Screenshots (if appropriate): ## Types of changes - Bug fix (non-breaking change which fixes an issue) ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My code follows the [code style][style-guide] of this project. - [x] I have updated the documentation accordingly. [style-guide]: https://wiki.apache.org/jmeter/CodeStyleGuidelines -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
