Update apache commons-text lib

[Lonzak]

Expected behavior

Jmeter is using a vulnerable apache commons-text library. It should be updated to the latest version (currently 1.10).

Actual behavior

No response

Steps to reproduce the problem

JMeter Version

5.5

Java Version

No response

OS Version

No response

[Lonzak]

The CVE (https://nvd.nist.gov/vuln/detail/CVE-2022-42889)
doesn't concern us, as we are not using the affected class StringSubstitutor
in our code.

But it is always a good idea, to keep our dependencies up to date.

Thank you nevertheless for updating - since all scanners alert anyway when finding a vulnerable library (even though the effected class is not directly used). By using an up-to-date lib it is now much easier to argue with the decision makers / security guys...

[groot327]

Looking at the contents of the ZIP and the Release Notes, commons-text v1.10 is not part of JMeter 5.5. Would anyone be able to confirm when this will be released?

[Lonzak]

Looking at the contents of the ZIP and the Release Notes, commons-text v1.10 is not part of JMeter 5.5. Would anyone be able to confirm when this will be released?

Jmeter 5.5 contains commons-text-1.9 and has been released in June 2022 long before this issue was created. The Update to 1.10 will be part of the next jmeter release...

[groot327]

Thank you. That's what I thought, but the previous comments (Oct, Nov) made me want to ask the question.