renovate-bot opened a new pull request, #6117: URL: https://github.com/apache/jmeter/pull/6117
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.github.tomakehurst:wiremock-jre8](https://wiremock.org) ([source](https://togithub.com/wiremock/wiremock)) | `2.35.0` -> `2.35.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>wiremock/wiremock (com.github.tomakehurst:wiremock-jre8)</summary> ### [`v2.35.1`](https://togithub.com/wiremock/wiremock/releases/tag/2.35.1): - Security Release [Compare Source](https://togithub.com/wiremock/wiremock/compare/2.35.0...2.35.1) đź”’ This is a security release that addresses the following issues - [CVE-2023-41327](https://togithub.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7) - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio - Overall CVSS Score: 4.6 ([AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C\&version=3.1)) - [CVE-2023-41329](https://togithub.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4) - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes - Overall CVSS Score: 3.9 ([AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C\&version=3.1)) **NOTE:** WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by [CVE-2023-39967 - Overall CVSS Score 8.6](https://togithub.com/wiremock/wiremock/security/advisories/GHSA-676j-xrv3-73vc) - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to [WireMock Cloud](https://www.wiremock.io/product) which is available as SaaS and private beta for on-premises deployments Credits: [@​W0rty](https://togithub.com/W0rty), [@​numacanedo](https://togithub.com/numacanedo), [@​Mahoney](https://togithub.com/Mahoney), [@​tomakehurst](https://togithub.com/tomakehurst), [@​oleg-nenashev](https://togithub.com/oleg-nenashev) </details> --- ### Configuration đź“… **Schedule**: Branch creation - "every 3 weeks on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/apache/jmeter). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9--> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@jmeter.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
