Hi all, jmx_exporter 0.18.0 has been released https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.18.0.
This release updates the snakeyaml dependency from 1.32 to 2.0, because version 1.32 is vulnerable to CVE-2022-1471 <https://github.com/advisories/GHSA-mjmj-j48q-9wg2>. Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help. Fixes and enhancements included in this release: [BUGFIX] Fix jmx_exporter_build_info metric #768 <https://github.com/prometheus/jmx_exporter/pull/768>. Thanks @dhoard <https://github.com/dhoard>. [BUGFIX] Fix the Debian package build #752 <https://github.com/prometheus/jmx_exporter/pull/752>, #650 <https://github.com/prometheus/jmx_exporter/pull/650>. Thanks @ozon2 <https://github.com/ozon2> and @Skunnyk <https://github.com/Skunnyk>. [ENHANCEMENT] Improve performance of duplicate sample lookup #719 <https://github.com/prometheus/jmx_exporter/pull/719>. Thanks @amuraru <https://github.com/amuraru>. [BUGFIX] Bump Snakeyaml dependency version to 2.0 to fix CVE-2022-1471 <https://github.com/advisories/GHSA-mjmj-j48q-9wg2> #777 <https://github.com/prometheus/jmx_exporter/pull/777>, #767 <https://github.com/prometheus/jmx_exporter/pull/767>. Thanks @dhoard <https://github.com/dhoard> and @ppatierno <https://github.com/ppatierno>. Thanks a lot to all contributors. Fabian -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/18a847a7-ac25-46ab-a02a-b07c3d4b0bf1n%40googlegroups.com.
