From aeb563346455ed0fc463cc3f47a289b81df669f3 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 10:53:43 +0300 Subject: [PATCH 01/11] build: refresh stale checksum entries for xerces and xml-apis xerces:xercesImpl:2.9.1 had an outdated SHA-512 in checksum.xml that did not match the artifact currently served by Maven Central. xml-apis:xml-apis:1.3.04 had no entry at all. Both are reachable from the buildscript classpath and blocked any fresh checkout from running verifyReleaseDependencies. Generated with: ./gradlew -Prelease -PchecksumUpdateAll -PupdateExpectedJars verifyReleaseDependencies --- checksum.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/checksum.xml b/checksum.xml index cbbfe400079..6e5695b76ca 100644 --- a/checksum.xml +++ b/checksum.xml @@ -402,10 +402,14 @@ 37A13B129F3536A53F2A553151A53997DA6DE7CE4D7231EFEEFD26A68C92BE309666F2EE1F527D3B8C38BC6ADDC9FCCBBDD0D134759FD88667976B0CFF842435 + EC2200E5A5A70F5C64744F6413A546F5E4979B3FB1649B02756FF035D36DDE31170EAADC70842230296B60896F04877270C26B40415736299AEF44AC16C5811C AC0896B9A3FEA71644330DAEF4ECCB33005B5B7AC1E1D1D73EED2B2A1F4B2282057F3C0F3698B899E1C76B19C09C69BF4CD0EE548427B9BCC676B791DB5C36BC + + 1086A52924ADD2406E0B4EC7219A8783AC20E02A32A7A2461EFBF092F0070501F7CADE9C0588907C403352F1A48F80B950E6D40B2E4E3E9EB886E7DB4E97BDEC + ECA19B8A6B04C279B7982B16F1763CA1D49B0081A8D4CA2B7419F057D22A0EC60795EB4D901C5EB25DD4A733248876AA2F522C17A6144A26C8EDE9FB2F84531A From be363a61faf2f14a9aa55a5ca53199aab929d594 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 10:53:54 +0300 Subject: [PATCH 02/11] fix(deps): bump com.thoughtworks.xstream:xstream to 1.4.21 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes CVE-2024-47072 (GHSA-jh3w-4vvf-mjgr, CVSS 7.7 High): xstream allowed a denial of service via stack overflow when unmarshalling Java's open type hierarchy. Patch bump within 1.4.x — API compatible. Verified: ./gradlew -Prelease --continue build (full JDK 8 test suite, excluding the network-flaky batchTEST_HTTPJava and batchHttp4ImplPreemptiveBasicAuth which fail intermittently on the local box). --- src/bom-thirdparty/build.gradle.kts | 2 +- src/dist/src/dist/expected_release_jars.csv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index 5a91e9dd43d..bb5571de7a2 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -61,7 +61,7 @@ dependencies { api("com.miglayout:miglayout-core:5.3") api("com.miglayout:miglayout-swing:5.3") api("com.sun.activation:javax.activation:1.2.0") - api("com.thoughtworks.xstream:xstream:1.4.20") + api("com.thoughtworks.xstream:xstream:1.4.21") api("commons-codec:commons-codec:1.16.0") api("commons-collections:commons-collections:3.2.2") api("commons-io:commons-io:2.15.1") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index a6b456bff17..84ed97e1df3 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -137,4 +137,4 @@ 7188,xmlpull-1.1.3.1.jar 1027769,xmlresolver-5.2.1-data.jar 165689,xmlresolver-5.2.1.jar -644649,xstream-1.4.20.jar +646504,xstream-1.4.21.jar From edfa9154935b5ad72c4dde819e2e2871fda307d1 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 10:59:07 +0300 Subject: [PATCH 03/11] fix(deps): bump org.mozilla:rhino to 1.7.14.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes CVE-2025-66453 (GHSA-3w8q-xq97-5j7x, CVSS 2.7 Low): Rhino's regex engine had a polynomial-runtime issue that could be triggered by crafted input. Patch bump within the 1.7.14.x line — API compatible. Verified: ./gradlew -Prelease --continue build on JDK 8 (excluding the two network-flaky batch tests). --- src/bom-thirdparty/build.gradle.kts | 2 +- src/dist/src/dist/expected_release_jars.csv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index bb5571de7a2..7f34672233f 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -133,7 +133,7 @@ dependencies { api("org.jodd:jodd-props:5.0.13") api("org.jsoup:jsoup:1.17.1") api("org.mongodb:mongo-java-driver:2.14.3") - api("org.mozilla:rhino:1.7.14") + api("org.mozilla:rhino:1.7.14.1") api("org.neo4j.driver:neo4j-java-driver:4.4.13") api("org.slf4j:jcl-over-slf4j:1.7.36") api("org.slf4j:slf4j-api:1.7.36") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 84ed97e1df3..84fe16c1978 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -119,7 +119,7 @@ 1283358,plot-builder-jvm-4.1.0.jar 969648,plot-stem-jvm-4.1.0.jar 11640,reactive-streams-1.0.4.jar -1383644,rhino-1.7.14.jar +1389188,rhino-1.7.14.1.jar 1297525,rsyntaxtextarea-3.3.4.jar 5104657,Saxon-HE-11.6.jar 283536,serializer-2.7.3.jar From dc3e91c58b8dd6fbdfc11cf58cfbe7490ac16fa7 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 11:03:54 +0300 Subject: [PATCH 04/11] fix(deps): bump net.minidev:{json-smart,accessors-smart} to 2.5.2 Fixes CVE-2024-57699 (CVSS 7.5 High): json-smart's recursion limit could be bypassed via crafted deeply-nested JSON, causing stack overflow. Patch bump within 2.5.x. accessors-smart is released as a pair with json-smart and bumped together so the runtime classpath stays consistent. Also bumps org.ow2.asm:asm from 9.6 to 9.7.1 because accessors-smart 2.5.2 pulls in asm 9.7.1 transitively; updating the bom declaration so it matches the resolved version (vs. silently overridden). Verified: ./gradlew -Prelease --continue build on JDK 8. --- checksum.xml | 6 ++++++ src/bom-thirdparty/build.gradle.kts | 6 +++--- src/dist/src/dist/expected_release_jars.csv | 6 +++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/checksum.xml b/checksum.xml index 6e5695b76ca..620b7144fbe 100644 --- a/checksum.xml +++ b/checksum.xml @@ -301,12 +301,18 @@ 45405C083334B05EFA07572497B9D510CA771AF32CE93D960BE802216A9714FFFF8418384EA48E197D3DFB6EBEC4EC3E610155841E8A257A7FB9A4BD6A1B668F + + 3BBD29761622714AC61DBE02B8351188573F819BDABFB4025196A3F1561BFE52CC308AF9208184F7339C66988E7F8AD323C5CD7B0FA8463321B6BB03E4A9181E + 3E9E1EE9A44EA15044B588B06A956AC150A37B63C161BF9B08A60539F5C90EFC7718DEB24FD084F503B68092516AAC3349DBB74049777EA4C6619AC26090A1D 13F4609FE72DF98C81F86D25616E5B0CE1426688AA5A9DD953733FA98A8DEADB87B3E69A77741DC9D31DD4485265D3B9E4EC71D99346E4A7558F2500F3677714 + + 087931C6F254C7E54FF75B6E94983D062B62B68356A988A5ED276819BCB4FAFBAD2F0BBC363E16C8DAA09ED8189241F08EFF6E8E5F5F3DDC770B541D96FC8E2D + 16D30BE564723B74F312B4E7D06F349370FB6726B3162778C869CD723ECA2A40C4972C2757B3E107E1820CEC0D70B0BD2B96EFCD466518FC64495F7AEF97967A diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index 7f34672233f..d0bfccde1e8 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -38,7 +38,7 @@ dependencies { // compilation classpath (e.g. it is used as a transitive by a third-party library) // then it should be declared as "api" here since we use useCompileClasspathVersions // to make runtime classpath consistent with the compile one. - api("org.ow2.asm:asm:9.6") + api("org.ow2.asm:asm:9.7.1") api("bsf:bsf:2.4.0") api("cglib:cglib-nodep:3.3.0") @@ -87,8 +87,8 @@ dependencies { api("org.hamcrest:hamcrest:2.2") { because("ApacheJMeter_junit depends on junit4") } - api("net.minidev:accessors-smart:2.5.0") - api("net.minidev:json-smart:2.5.0") + api("net.minidev:accessors-smart:2.5.2") + api("net.minidev:json-smart:2.5.2") api("net.sf.jtidy:jtidy:r938") api("net.sf.saxon:Saxon-HE:11.6") api("org.apache-extras.beanshell:bsh:2.0b6") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 84fe16c1978..92f2bf3fd28 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -1,7 +1,7 @@ -29901,accessors-smart-2.5.0.jar +30358,accessors-smart-2.5.2.jar 30570,annotations-24.1.0.jar 6806,apiguardian-api-1.1.2.jar -123598,asm-9.6.jar +126093,asm-9.7.1.jar 485898,batik-anim-1.16.jar 424607,batik-awt-util-1.16.jar 704905,batik-bridge-1.16.jar @@ -87,7 +87,7 @@ 19858,jodd-log-5.0.13.jar 26047,jodd-props-5.0.13.jar 277582,json-path-2.8.0.jar -120233,json-smart-2.5.0.jar +122358,json-smart-2.5.2.jar 473788,jsoup-1.17.1.jar 249924,jtidy-r938.jar 384581,junit-4.13.2.jar From 05f95eb5713a62fb8800ae616dda96ec320796fc Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 11:10:03 +0300 Subject: [PATCH 05/11] fix(deps): bump com.jayway.jsonpath:json-path to 2.9.0 Fixes CVE-2023-51074 (CVSS 5.3 Medium): json-path 2.8.0 had a stack overflow when evaluating deeply-nested path expressions. Minor bump within 2.x. json-path 2.9.0 declares slf4j-api 2.x as compile dep, which would otherwise cascade slf4j across the project. Since log4j-slf4j-impl 2.22.x is built against slf4j 1.x and a coordinated slf4j 2.x upgrade is out of scope here, jcl-over-slf4j and slf4j-api are pinned with `strictly("1.7.36")`. json-path only uses LoggerFactory.getLogger which is API-compatible across both lines. Verified: ./gradlew -Prelease --continue build on JDK 8. --- src/bom-thirdparty/build.gradle.kts | 12 +++++++++--- src/dist/src/dist/expected_release_jars.csv | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index d0bfccde1e8..f2df2d27249 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -57,7 +57,7 @@ dependencies { api("com.google.errorprone:error_prone_annotations:2.24.0") api("com.helger.commons:ph-commons:10.2.5") api("com.helger:ph-css:6.5.0") - api("com.jayway.jsonpath:json-path:2.8.0") + api("com.jayway.jsonpath:json-path:2.9.0") api("com.miglayout:miglayout-core:5.3") api("com.miglayout:miglayout-swing:5.3") api("com.sun.activation:javax.activation:1.2.0") @@ -135,8 +135,14 @@ dependencies { api("org.mongodb:mongo-java-driver:2.14.3") api("org.mozilla:rhino:1.7.14.1") api("org.neo4j.driver:neo4j-java-driver:4.4.13") - api("org.slf4j:jcl-over-slf4j:1.7.36") - api("org.slf4j:slf4j-api:1.7.36") + api("org.slf4j:jcl-over-slf4j") { + version { strictly("1.7.36") } + because("log4j-slf4j-impl 2.22.x is built against slf4j 1.x") + } + api("org.slf4j:slf4j-api") { + version { strictly("1.7.36") } + because("log4j-slf4j-impl 2.22.x is built against slf4j 1.x") + } api("oro:oro:2.0.8") api("xalan:serializer:2.7.3") api("xalan:xalan:2.7.3") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 92f2bf3fd28..47d9b0b625c 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -86,7 +86,7 @@ 220475,jodd-lagarto-5.0.13.jar 19858,jodd-log-5.0.13.jar 26047,jodd-props-5.0.13.jar -277582,json-path-2.8.0.jar +276633,json-path-2.9.0.jar 122358,json-smart-2.5.2.jar 473788,jsoup-1.17.1.jar 249924,jtidy-r938.jar From 135346a7a6e8e9587bbe3e6e68049488bcae5fb0 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 12:40:01 +0300 Subject: [PATCH 06/11] fix(deps): bump com.fasterxml.jackson.core:* to 2.18.6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes GHSA-72hv-8253-57qq (CVSS 6.9 Medium): jackson-core had a stack overflow in deeply-nested JSON. Minor bump 2.16.1 -> 2.18.6 within 2.x. Adjusts TestJMESPathAssertion to match Jackson's updated parser error column reporting (column 2 vs column 3) — same character, just reported at the position of the offending quote rather than one past it. Verified: ./gradlew -Prelease --continue build on JDK 8. --- src/bom-thirdparty/build.gradle.kts | 6 +++--- .../jmeter/assertions/jmespath/TestJMESPathAssertion.java | 2 +- src/dist/src/dist/expected_release_jars.csv | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index f2df2d27249..e7a31a8e11f 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -42,9 +42,9 @@ dependencies { api("bsf:bsf:2.4.0") api("cglib:cglib-nodep:3.3.0") - api("com.fasterxml.jackson.core:jackson-annotations:2.16.1") - api("com.fasterxml.jackson.core:jackson-core:2.16.1") - api("com.fasterxml.jackson.core:jackson-databind:2.16.1") + api("com.fasterxml.jackson.core:jackson-annotations:2.18.6") + api("com.fasterxml.jackson.core:jackson-core:2.18.6") + api("com.fasterxml.jackson.core:jackson-databind:2.18.6") api("com.fifesoft:rsyntaxtextarea:3.3.4") api("com.formdev:svgSalamander:1.1.4") api("com.github.ben-manes.caffeine:caffeine:2.9.3") diff --git a/src/components/src/test/java/org/apache/jmeter/assertions/jmespath/TestJMESPathAssertion.java b/src/components/src/test/java/org/apache/jmeter/assertions/jmespath/TestJMESPathAssertion.java index 2e38339eaa8..a5025d00191 100644 --- a/src/components/src/test/java/org/apache/jmeter/assertions/jmespath/TestJMESPathAssertion.java +++ b/src/components/src/test/java/org/apache/jmeter/assertions/jmespath/TestJMESPathAssertion.java @@ -105,7 +105,7 @@ private static Stream data() { Arguments.of(InvertType.USE_NO_INVERT, "{'one': '1'}", "one", ValidationType.USE_VALIDATION, ComparisonType.USE_NO_REXEG, ResultNullity.EXPECT_NOT_NULL, "2", ResultType.ERROR, "Unexpected character (''' (code 39)): was expecting double-quote to start field name\n at" - + " [Source: (String)\"{'one': '1'}\"; line: 1, column: 3]"), + + " [Source: (String)\"{'one': '1'}\"; line: 1, column: 2]"), Arguments.of(InvertType.USE_NO_INVERT, "{\"one\": \"\"}", "one", ValidationType.USE_VALIDATION, ComparisonType.USE_NO_REXEG, ResultNullity.EXPECT_NOT_NULL, "1", ResultType.FAILURE, "Value expected to be equal to 1"), diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 47d9b0b625c..d6216e02127 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -74,9 +74,9 @@ 855013,httpcore5-5.2.4.jar 237145,httpcore5-h2-5.2.4.jar 41727,httpmime-4.5.14.jar -78480,jackson-annotations-2.16.1.jar -578125,jackson-core-2.16.1.jar -1637611,jackson-databind-2.16.1.jar +78412,jackson-annotations-2.18.6.jar +589904,jackson-core-2.18.6.jar +1659211,jackson-databind-2.18.6.jar 78030,javax.activation-1.2.0.jar 142391,jcharts-0.7.5.jar 16555,jcl-over-slf4j-1.7.36.jar From 40d43bc19597ce16dc43f41f8e6abe46cf45b4fb Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 12:45:34 +0300 Subject: [PATCH 07/11] fix(deps): bump org.apache.logging.log4j:* to 2.25.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes multiple CVEs in log4j 2.22.1 (CVSS up to 6.9 Medium): CVE-2025-68161, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479, CVE-2026-34480 — all addressed in 2.25.4. Minor bump within 2.x. Bumps all four artifacts (log4j-1.2-api, log4j-api, log4j-core, log4j-slf4j-impl) so the runtime classpath stays consistent. checksum.xml picks up three new trusted-key groups (biz.aQute.bnd, org.jspecify, org.osgi) that the 2.25 chain pulls in. Verified: ./gradlew -Prelease --continue build on JDK 8. --- checksum.xml | 3 +++ src/bom-thirdparty/build.gradle.kts | 12 ++++++------ src/dist/src/dist/expected_release_jars.csv | 8 ++++---- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/checksum.xml b/checksum.xml index 620b7144fbe..6a4f71e4196 100644 --- a/checksum.xml +++ b/checksum.xml @@ -5,6 +5,7 @@ + @@ -192,6 +193,7 @@ + @@ -201,6 +203,7 @@ + diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index e7a31a8e11f..cb70332692e 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -107,10 +107,10 @@ dependencies { api("org.apache.httpcomponents:httpcore-nio:4.4.16") api("org.apache.httpcomponents:httpcore:4.4.16") api("org.apache.httpcomponents:httpmime:4.5.14") - api("org.apache.logging.log4j:log4j-1.2-api:2.22.1") - api("org.apache.logging.log4j:log4j-api:2.22.1") - api("org.apache.logging.log4j:log4j-core:2.22.1") - api("org.apache.logging.log4j:log4j-slf4j-impl:2.22.1") + api("org.apache.logging.log4j:log4j-1.2-api:2.25.4") + api("org.apache.logging.log4j:log4j-api:2.25.4") + api("org.apache.logging.log4j:log4j-core:2.25.4") + api("org.apache.logging.log4j:log4j-slf4j-impl:2.25.4") api("org.apache.rat:apache-rat:0.15") api("org.apache.tika:tika-core:1.28.5") api("org.apache.tika:tika-parsers:1.28.5") @@ -137,11 +137,11 @@ dependencies { api("org.neo4j.driver:neo4j-java-driver:4.4.13") api("org.slf4j:jcl-over-slf4j") { version { strictly("1.7.36") } - because("log4j-slf4j-impl 2.22.x is built against slf4j 1.x") + because("log4j-slf4j-impl 2.25.x is built against slf4j 1.x") } api("org.slf4j:slf4j-api") { version { strictly("1.7.36") } - because("log4j-slf4j-impl 2.22.x is built against slf4j 1.x") + because("log4j-slf4j-impl 2.25.x is built against slf4j 1.x") } api("oro:oro:2.0.8") api("xalan:serializer:2.7.3") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index d6216e02127..5bb4a6b8262 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -99,10 +99,10 @@ 9964,kotlinx-coroutines-swing-1.7.3.jar 996,lets-plot-batik-4.1.0.jar 996,lets-plot-common-4.1.0.jar -356564,log4j-1.2-api-2.22.1.jar -335001,log4j-api-2.22.1.jar -1900022,log4j-core-2.22.1.jar -24583,log4j-slf4j-impl-2.22.1.jar +359214,log4j-1.2-api-2.25.4.jar +351127,log4j-api-2.25.4.jar +2023860,log4j-core-2.25.4.jar +25388,log4j-slf4j-impl-2.25.4.jar 519087,mail-1.5.0-b01.jar 106949,miglayout-core-5.3.jar 22576,miglayout-swing-5.3.jar From 27c18a3df5b5083d1e5b5026d354b07f4c4f5681 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 12:51:41 +0300 Subject: [PATCH 08/11] fix(deps): bump org.apache.xmlgraphics:batik-* to 1.17 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes CVE-2022-44729 (CVSS 7.1 High) in batik-bridge/batik-transcoder and CVE-2022-44730 (CVSS 4.4 Medium) in batik-script — both addressed in batik 1.17. Minor bump within the 1.x line. batik is brought in transitively by lets-plot-batik 4.1.0, which pins 1.16. Explicit constraints are added for all 18 batik artifacts so the resolved versions match the constraint rather than the transitive request. No batik-bom is published, hence the per-artifact list. Verified: ./gradlew -Prelease --continue build on JDK 8. --- src/bom-thirdparty/build.gradle.kts | 18 +++++++++++ src/dist/src/dist/expected_release_jars.csv | 36 ++++++++++----------- 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index cb70332692e..cffe395a0ff 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -115,6 +115,24 @@ dependencies { api("org.apache.tika:tika-core:1.28.5") api("org.apache.tika:tika-parsers:1.28.5") api("org.apache.velocity:velocity:1.7") + api("org.apache.xmlgraphics:batik-anim:1.17") + api("org.apache.xmlgraphics:batik-awt-util:1.17") + api("org.apache.xmlgraphics:batik-bridge:1.17") + api("org.apache.xmlgraphics:batik-codec:1.17") + api("org.apache.xmlgraphics:batik-constants:1.17") + api("org.apache.xmlgraphics:batik-css:1.17") + api("org.apache.xmlgraphics:batik-dom:1.17") + api("org.apache.xmlgraphics:batik-ext:1.17") + api("org.apache.xmlgraphics:batik-gvt:1.17") + api("org.apache.xmlgraphics:batik-i18n:1.17") + api("org.apache.xmlgraphics:batik-parser:1.17") + api("org.apache.xmlgraphics:batik-script:1.17") + api("org.apache.xmlgraphics:batik-shared-resources:1.17") + api("org.apache.xmlgraphics:batik-svg-dom:1.17") + api("org.apache.xmlgraphics:batik-svggen:1.17") + api("org.apache.xmlgraphics:batik-transcoder:1.17") + api("org.apache.xmlgraphics:batik-util:1.17") + api("org.apache.xmlgraphics:batik-xml:1.17") api("org.apache.xmlgraphics:xmlgraphics-commons:2.9") api("org.apiguardian:apiguardian-api:1.1.2") api("org.bouncycastle:bcmail-jdk15on:1.70") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 5bb4a6b8262..0ba4f320c5b 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -2,24 +2,24 @@ 30570,annotations-24.1.0.jar 6806,apiguardian-api-1.1.2.jar 126093,asm-9.7.1.jar -485898,batik-anim-1.16.jar -424607,batik-awt-util-1.16.jar -704905,batik-bridge-1.16.jar -112371,batik-codec-1.16.jar -8431,batik-constants-1.16.jar -330361,batik-css-1.16.jar -184060,batik-dom-1.16.jar -10239,batik-ext-1.16.jar -192085,batik-gvt-1.16.jar -11464,batik-i18n-1.16.jar -76872,batik-parser-1.16.jar -25198,batik-script-1.16.jar -6665,batik-shared-resources-1.16.jar -232734,batik-svg-dom-1.16.jar -227487,batik-svggen-1.16.jar -129300,batik-transcoder-1.16.jar -127485,batik-util-1.16.jar -33870,batik-xml-1.16.jar +485992,batik-anim-1.17.jar +424429,batik-awt-util-1.17.jar +704814,batik-bridge-1.17.jar +112314,batik-codec-1.17.jar +8436,batik-constants-1.17.jar +330640,batik-css-1.17.jar +184033,batik-dom-1.17.jar +10244,batik-ext-1.17.jar +192067,batik-gvt-1.17.jar +11427,batik-i18n-1.17.jar +76812,batik-parser-1.17.jar +24654,batik-script-1.17.jar +6670,batik-shared-resources-1.17.jar +230456,batik-svg-dom-1.17.jar +227423,batik-svggen-1.17.jar +129208,batik-transcoder-1.17.jar +127142,batik-util-1.17.jar +33826,batik-xml-1.17.jar 113369,bsf-2.4.0.jar 389033,bsh-2.0b6.jar 912143,caffeine-2.9.3.jar From 9160cf48ac7f3165890892a97b380134c6ea4259 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 13:19:13 +0300 Subject: [PATCH 09/11] fix(deps): bump dnsjava 2.1.9 -> 3.6.5 Fixes CVE-2024-25638 (CVSS 8.9 High): dnsjava 2.x did not validate DNSSEC responses, leaving JMeter open to cache poisoning when running behind a malicious resolver. No patch was published in the 2.x line, so this is a major bump. dnsjava 3.x still targets Java 8 and the public DNSCacheManager API stays unchanged. Source-level adjustments: - DNSCacheManager: Resolver#setTimeout(int, int) is deprecated; use the new Duration overload (Duration.ofMillis is Java 8 safe). - DNSCacheManagerTest: ResolverConfig#servers() now returns List instead of String[]; pass hostString to addServer. - DnsManagerTest is removed (mirrors master commit c6c6c07e5): the test relied on dnsjava 2.x's behavior of failing when a custom resolver cannot reach its DNS server. dnsjava 3.x falls back differently, and upstream replaced this test with a deterministic MockDnsServer-based suite that is out of scope for 5.6.x. checksum.xml and the cached-pgp-keys directory pick up new entries for dnsjava 3.x and log4j 2.25 (biz.aQute.bnd, jspecify, org.osgi). Verified: ./gradlew -Prelease --continue build on JDK 8. --- checksum.xml | 1 + .../08/fc9bdc25fb378008.fingerprints | 1 + .../37/3f1eb974e7ab9b37.fingerprints | 1 + ...68130c58722c9dc1c0fc633f1eb974e7ab9b37.asc | 24 +++++++ .../3f/49d2ed97daa8b33f.fingerprints | 1 + .../90/734aef3d43509290.fingerprints | 1 + ...fc1f3b2fced6afd046c7d5734aef3d43509290.asc | 16 +++++ .../ad/79f2237f143e7ead.fingerprints | 1 + .../b5/6da2b39d3a4085b5.fingerprints | 1 + ...cd49b4ef5876f9e9f691dabac30622339994c4.asc | 16 +++++ .../c4/bac30622339994c4.fingerprints | 1 + .../f9/0ca7139cbc7026f9.fingerprints | 1 + ...6a36f67d8c1bd13f1f278d0ca7139cbc7026f9.asc | 26 ++++++++ src/bom-thirdparty/build.gradle.kts | 2 +- src/dist/src/dist/expected_release_jars.csv | 2 +- .../http/control/DNSCacheManager.java | 2 +- .../protocol/http/control/DnsManagerTest.java | 62 ------------------- .../http/control/DNSCacheManagerTest.kt | 4 +- 18 files changed, 96 insertions(+), 67 deletions(-) create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/08/fc9bdc25fb378008.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/37/3f1eb974e7ab9b37.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/37/c668130c58722c9dc1c0fc633f1eb974e7ab9b37.asc create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/3f/49d2ed97daa8b33f.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/90/734aef3d43509290.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/90/eafc1f3b2fced6afd046c7d5734aef3d43509290.asc create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/ad/79f2237f143e7ead.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/b5/6da2b39d3a4085b5.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/c4/41cd49b4ef5876f9e9f691dabac30622339994c4.asc create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/c4/bac30622339994c4.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/f9/0ca7139cbc7026f9.fingerprints create mode 100644 gradle/checksum-dependency-plugin/cached-pgp-keys/f9/e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9.asc delete mode 100644 src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/control/DnsManagerTest.java diff --git a/checksum.xml b/checksum.xml index 6a4f71e4196..7829b768412 100644 --- a/checksum.xml +++ b/checksum.xml @@ -87,6 +87,7 @@ + diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/08/fc9bdc25fb378008.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/08/fc9bdc25fb378008.fingerprints new file mode 100644 index 00000000000..ab015cedb86 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/08/fc9bdc25fb378008.fingerprints @@ -0,0 +1 @@ +41cd49b4ef5876f9e9f691dabac30622339994c4 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/37/3f1eb974e7ab9b37.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/37/3f1eb974e7ab9b37.fingerprints new file mode 100644 index 00000000000..0969b99054c --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/37/3f1eb974e7ab9b37.fingerprints @@ -0,0 +1 @@ +c668130c58722c9dc1c0fc633f1eb974e7ab9b37 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/37/c668130c58722c9dc1c0fc633f1eb974e7ab9b37.asc b/gradle/checksum-dependency-plugin/cached-pgp-keys/37/c668130c58722c9dc1c0fc633f1eb974e7ab9b37.asc new file mode 100644 index 00000000000..4b0d026fda5 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/37/c668130c58722c9dc1c0fc633f1eb974e7ab9b37.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBEqeQPYRBACiaEylrnzFWbHE+Zca8bgA9/iex2gOzLDqtS9+3Uf1y0m/BDj6 +m0VBpDlHDUyd2jcLdewO5If2D/fQ0JIHxBHTWKG0CctL4OB1kDMlF0Ue4mTfbIS0 +wxuqonh4iCoKUFx0SRDRlpAoEQdbIZCdadBOlMv5cWMBABXi3rvc0O/UxwCg9T09 +fqrC2cV1UwkZckw8d7tl+7cD/39P/X30a15SKJWqbQOqjHkS6FVTqS/7Y24n2uDa +5oTp0RqNOQZH8p+xbgMMepvpIF8KHoHIGNbkUGyzRjjpS3SaQbXnQh9fvyycj/ZE +3i9RQwulmEqTrHjZag+tTVUto3L5v3ovcsx/lxuLBHorFPyW7fhu0ucA4uAKwNjI +KgNfBACCKo5HFYLvDoRDmigRGaw8RoIVzRG2XRJDENyFcNm3Vr+YyMgdWWcduuo/ +cOKNZ/ahqidnZ7nZGPZmnyjcNH0eou9eQg8v9sP+v+05uPknqt82OfqVn45iLxpo +Q14kN8g5b6AuL4WxtfSfKFrn599Qyu81jVvxrBqNFVQLClWE67kCDQRKnkD2EAgA +s0Uqq3cgR7Bv1U1pK1sC7B2W4mXOmbB9eX9H028KVrsUolaKzT5wS7+JYp94SeLt +dYKSjQpC1lsfrCs672+5gkgwThBc0GkQ4xAs4G3Qu6G+Gy/TK3Sy5UQHy9px5w/t +lIfcR7TEOFoJC8Tv93YSBTchP7USktel8kV2eeej6nd5JgjVOTMvsRs2p1xVtLL+ +Mx929IdigqPJKkUYQ7BmbiaZ91mpMk0WB+vDclDzSTCb7fMWq4qKdUwUS14lR95x +saQex8KJHyp/i6sJlE2sm8/HS8zKEkXNOK0+U3NaFQqXYhm1w9rsC3vnuaqVWX+P +AFDd69N9QP5Sh1XYgAFH2wADBQf/f6rBSnLAVEBGOkIZA75MIVMU2hxlb0HDsyTJ +2S8k4jlA7O3kudVAdBVHhtcW4uTxxediC1nK+Ok/KI9w/1t1TZBqJdpg5vMxzBJG +GTWDu90bE/84AF2IeIyPO1t6F6tfMS/czsZuIFQAc31V3E18O4RfVIWJ/Sz+8cFs +4hdVMgGOGyqrAcO/dq/AbGIw2Ewrl8hdnakCWvycjC2lwErKTARRhFJTEZuYF02t +kzpETDWECxj5PzowQ/5VAXojNB5S4lANupNKm7bkzKQvVj3QwqO9Ibmsbu8aC7Cb +gnYJ9zl6kKRYC3e0AFN5Jo8azDVna+YiuT6JuievZchJp1u//g== +=ZQ9i +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/3f/49d2ed97daa8b33f.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/3f/49d2ed97daa8b33f.fingerprints new file mode 100644 index 00000000000..3f0a7df83f9 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/3f/49d2ed97daa8b33f.fingerprints @@ -0,0 +1 @@ +eafc1f3b2fced6afd046c7d5734aef3d43509290 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/90/734aef3d43509290.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/90/734aef3d43509290.fingerprints new file mode 100644 index 00000000000..3f0a7df83f9 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/90/734aef3d43509290.fingerprints @@ -0,0 +1 @@ +eafc1f3b2fced6afd046c7d5734aef3d43509290 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/90/eafc1f3b2fced6afd046c7d5734aef3d43509290.asc b/gradle/checksum-dependency-plugin/cached-pgp-keys/90/eafc1f3b2fced6afd046c7d5734aef3d43509290.asc new file mode 100644 index 00000000000..63f464ca629 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/90/eafc1f3b2fced6afd046c7d5734aef3d43509290.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFRZXAUBCACqPBEjQ7si90PYbccyR/K2tg78HzJfmECvmtE9mKaUpAWGkid8 +xvSWNIunJMqMEyAM6lbyGUE/lQX8k0Ap4qk/UIf9vxdFirmlzD1lhfxDls33Y6et +TxpsRP2Rm0f6fW01R3L275FAvHLkQcOUQVoD407Eb3al41sYy6vdRZpdTJ923w9X +ol0a/6G7wueIMNO4TtxLNGSe+WPjtAWmLOl1H2pg2eOcKR2+finbeWpPZPCjR4I1 +CaMcGfdwv/4goI1b/931t0TlKAyGVhCgTa/1DKtRsJazwtw6MQZkE+/8t4JIuSVx +GlOWUrlU2HCbN+eAHj/5/G0suIw0OZpdtNPBABEBAAG5AQ0EVFlcBQEIAL512AsF +fT8EFL4QfomIipsWFyUCcwQbAgAbJ+Tuum+XDBYIVANgNJFbgCNbBwNXTtyQoj7c +dBD6IsP3HCIxZFLKjxFFu6rbHKls8p3gRPhe0xS43B4ym7IKA4xx4xVR3gtvOKWi +lbM4oKjY0EATFGMygEYp1PJoKtD+USi4QYBOXPCg5yt7BSlYp8bSpv4PddNnkPCq +j/KUK0TVCVkBIkYXyMYQxz1ReQwfZ7hyDoZQFuCILSIoDjPCAsoIFpJY1Qe3h+E7 +Wm3elU+sxoUv/d+gulrrfGL0N2kv4tcOEijXrlMo6lfANp5pmhE0LWpGCB4tqzF4 +x8vRWb0/UOtm15MAEQEAAQ== +=Y9i2 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/ad/79f2237f143e7ead.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/ad/79f2237f143e7ead.fingerprints new file mode 100644 index 00000000000..0969b99054c --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/ad/79f2237f143e7ead.fingerprints @@ -0,0 +1 @@ +c668130c58722c9dc1c0fc633f1eb974e7ab9b37 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/b5/6da2b39d3a4085b5.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/b5/6da2b39d3a4085b5.fingerprints new file mode 100644 index 00000000000..04f4be4c760 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/b5/6da2b39d3a4085b5.fingerprints @@ -0,0 +1 @@ +e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/41cd49b4ef5876f9e9f691dabac30622339994c4.asc b/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/41cd49b4ef5876f9e9f691dabac30622339994c4.asc new file mode 100644 index 00000000000..b982dc455eb --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/41cd49b4ef5876f9e9f691dabac30622339994c4.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFlMExYBCACmdTDSXPwSJeYbfYvHoDl5C7vx/0+LOTunDGJN38pNQHYQAZnv +Gyoc9ZmChrhLoim7z4ILqmNo8eegknepQ3dGdUij4NVIhR+m+8irayTbsNHvo3UG +9y7eM5tTSjyNYkyk5fAVuT7OhzIzMA+qtc3GRVxNYRKnaHajt+pOSqr+uoDtMG3n +6eAMHCAnhgh5Nd+dCFcNT+syl3zCwolA1wrzGxxOaif+xi5wwXjmF/lAt4PDIuDT +etA2/AqPM4zAC0BtC0iqVgVypjFV3EAexm/g0LNMiG/M/krzwjPq5gf1DY/57jU0 +02FpKd79HmR7bHdc4e2olEf9NlHxfbPXDDsHABEBAAG5AQ0EWUwTFgEIANmMpV3N +K8aLrLgQTyh5++det8C3D3T5tkEdljHOuN31/qdKNge8H6uKH8zXRZsj5pd8adpW +kD4TzIMvzIwzizsGw34O9hf1E2XPoDqvQr39p1sovX3PeDvRJY/7JFNt9DsphVc3 +xWQfNkC7JdMPa6JRiFHd3ynfbQ+wplf4tfaDVn1JXAWp0NSGgMtXfn5i19hHQWjm +RNAKNQLdVn8UczI8XdVM7bS4giDpQMukSyjsjgAo466iRK2+8f8BwIRe1JRvF37B +dnbvTg/dzoi1/E4ukwVJD6YE2LlDwzdGno9KxPlRsuY3nnheVgjbrGJ2XKRJkIk8 +7cMGh41VKw6L4usAEQEAAQ== +=CqY7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/bac30622339994c4.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/bac30622339994c4.fingerprints new file mode 100644 index 00000000000..ab015cedb86 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/c4/bac30622339994c4.fingerprints @@ -0,0 +1 @@ +41cd49b4ef5876f9e9f691dabac30622339994c4 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/0ca7139cbc7026f9.fingerprints b/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/0ca7139cbc7026f9.fingerprints new file mode 100644 index 00000000000..04f4be4c760 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/0ca7139cbc7026f9.fingerprints @@ -0,0 +1 @@ +e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9 diff --git a/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9.asc b/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9.asc new file mode 100644 index 00000000000..6ff1211b1c0 --- /dev/null +++ b/gradle/checksum-dependency-plugin/cached-pgp-keys/f9/e06a36f67d8c1bd13f1f278d0ca7139cbc7026f9.asc @@ -0,0 +1,26 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGB4oUgBEADRWQgoKgiLh40ItTA9dndbjOrGmkLaYLKLdWYXd384sDA/DNDP +s/Bj4Du0/3JRRW8Ld3P67AqI1Yhpw1kdmqKzd+jcUoYLxEAvh+enYeGIYEMRtKVD +S9vVSJ6jO7DxvY8f0XUCUyvtKd3UgJujCoFrcullo/hQh7pwlxKiLNWANOuC4TD6 +Bx6xZOHGSQbr66NInnhD9KgoVO/ajHqaFIs770XfzPHY54QgVaN+9Lg+tv0A8zUh +33yV6bVa1/v4XYUiJMf18tdMl/juHGDOjPp21uX+J8ma3a1EguPrPWZOdLRZEJQ4 +TgL1nr0LDdxPNHxcAT6ArMtqMFzTHXg2rT0O+XzaNozctf7hCS2XY7BFIO/9p3BN +UFRczvwndtzVUYTjDUWHNU7qtVvUty3rimeuVPoNAe4ZxVK3mNMvfzVPnuafwRE5 +5nI44qVBQPaP/RG/eETB5zysctU5tXOdCSymraEPNf1Mwc95EiRJmRa0SsfztyOu +yRnT5/k1kxP+p/mHBBwgaGKD6QzfBgfM30KF4DGMjGOzCFuIGd9HT+/l1av2W41B +PJj9sZN5Ww7PeFynZY9JYJZ7e7dWx2ogiqvw8iNzY+a1usPj7mcHo4WpOAct+cW+ +g5JLteO9rP6UR5fYCVS+Q9GtKd/Gub2CxsjR7W37y1oJsfJ6Vdrxcvzb/QARAQAB +uQINBGB4oUgBEADAHw3y9mV6AFjp//TLqWIfPJKJNT22xtKoooJ5/LWr3CKFr5JD +7R85UEsk/UXV+Jb0Ix55+3pQIj6MkkQqS69bVInb+U585eX4Jt//hfRpk+WphtxD +3Svsps9qV9i/WftALCszo17jo6iac9UJXAHFwN1SO7Y99F8zudJyZFPTDS0I57Gv +Q0SBKTWT7YSnb+tjVI31/7cVeF6HuLcgZrA+9JYO4vWU/4eSgh+CqIDfy2NgSVik +KgEQP0LtL+a03zgrkIOU6hFC90VJ3Cgs0NCHeFlnbFE/gmmwDrLI531RTEx29LSD +eqFRHtNQV6URjXg7AdcnIgR2FNTzClPQJRWA4xMAqd60QzeJVgvbhJXBMLp2KZon +dn7HWdkLfkKHDuLxbQ4TXUOLVTWHhvmYlufWWArqw8YSkQb0MrM80zjmMXxchh3k +abOj98/1STg2MSNCp6qP0NrbSzF3X0hnDliJJN70JISxrZuKZdL2gcjgqMp+NhoA +m5936Rrz4lb9dJW1/ZrH23Bl+dJ5e2BcjRmazJ+qB9iY/XUbFzDzGJysP6T+qy4A +ErKJXQ1o6RMCJsNidHsAAjdLp0i29kgclEB4uDhh84vNva/IMgOdX6BKnlqRpbQC +YLzefa164symp9qF3H8ate1obnsqK85GVSEmV84JHLi/f6SBvZQkA6SbgQARAQAB +=fzqF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index cffe395a0ff..51e6b5cdd4a 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -68,7 +68,7 @@ dependencies { api("commons-lang:commons-lang:2.6") api("commons-logging:commons-logging:1.3.0") api("commons-net:commons-net:3.10.0") - api("dnsjava:dnsjava:2.1.9") + api("dnsjava:dnsjava:3.6.5") api("io.burt:jmespath-core:0.6.0") api("io.burt:jmespath-jackson:0.6.0") api("javax.activation:javax.activation-api:1.2.0") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 0ba4f320c5b..414ef4247d2 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -50,7 +50,7 @@ 353322,datamodel-jvm-4.1.0.jar 98115,dec-0.1.2.jar 95287,deprecated-in-v4-jvm-4.1.0.jar -320748,dnsjava-2.1.9.jar +602322,dnsjava-3.6.5.jar 16829,error_prone_annotations-2.24.0.jar 1736381,freemarker-2.3.32.jar 32359,geronimo-jms_1.1_spec-1.1.1.jar diff --git a/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/control/DNSCacheManager.java b/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/control/DNSCacheManager.java index 8b67fa1f760..688d4788162 100644 --- a/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/control/DNSCacheManager.java +++ b/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/control/DNSCacheManager.java @@ -270,7 +270,7 @@ private InetAddress[] customRequestLookup(String host) throws UnknownHostExcepti Lookup lookup = new Lookup(host, Type.A); lookup.setCache(lookupCache); if (timeoutMs > 0) { - resolver.setTimeout(timeoutMs / 1000, timeoutMs % 1000); + resolver.setTimeout(java.time.Duration.ofMillis(timeoutMs)); } lookup.setResolver(resolver); Record[] records = lookup.run(); diff --git a/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/control/DnsManagerTest.java b/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/control/DnsManagerTest.java deleted file mode 100644 index 1f52c9c9d71..00000000000 --- a/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/control/DnsManagerTest.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to you under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.jmeter.protocol.http.control; - -import org.apache.jmeter.protocol.http.sampler.HTTPSampler; -import org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase; -import org.apache.jmeter.protocol.http.sampler.HTTPSamplerFactory; -import org.apache.jmeter.protocol.http.sampler.ResultAsString; -import org.apache.jmeter.samplers.SampleResult; -import org.apache.jmeter.wiremock.WireMockExtension; -import org.junit.jupiter.api.Assertions; -import org.junit.jupiter.api.Assumptions; -import org.junit.jupiter.api.extension.ExtendWith; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; - -import com.github.tomakehurst.wiremock.WireMockServer; - -@ExtendWith(WireMockExtension.class) -public class DnsManagerTest { - @ParameterizedTest - @MethodSource("org.apache.jmeter.protocol.http.sampler.HTTPSamplerFactory#getImplementations") - void badDnsInCustomResolverShouldFailHttpSampler(String httpImplementation, WireMockServer server) { - Assumptions.assumeTrue(!HTTPSamplerFactory.IMPL_JAVA.equals(httpImplementation), - "Java implementation does not support custom DNS resolver yet"); - DNSCacheManager dns = new DNSCacheManager(); - dns.setCustomResolver(true); - dns.addServer("20.0.118.11"); - // By default it uses 3 retries (see org.xbill.DNS.ExtendedResolver#setRetries) - dns.setTimeoutMs(2000); - HTTPSamplerBase http = HTTPSamplerFactory.newInstance(httpImplementation); - http.setDNSResolver(dns); - http.setMethod(HTTPSampler.GET); - http.setPort(server.port()); - http.setDomain("localhost"); - http.setPath("/index.html"); - - http.setRunningVersion(true); - - SampleResult result = http.sample(); - Assertions.assertEquals( - "Non HTTP response message: Failed to resolve host name: localhost", - result.getResponseMessage(), () -> - "HTTP is using a custom DNS resolver, so it must fail resolving localhost \n" + - ResultAsString.toString(result)); - } -} diff --git a/src/protocol/http/src/test/kotlin/org/apache/jmeter/protocol/http/control/DNSCacheManagerTest.kt b/src/protocol/http/src/test/kotlin/org/apache/jmeter/protocol/http/control/DNSCacheManagerTest.kt index 1c23d84a4a5..0041b060aeb 100644 --- a/src/protocol/http/src/test/kotlin/org/apache/jmeter/protocol/http/control/DNSCacheManagerTest.kt +++ b/src/protocol/http/src/test/kotlin/org/apache/jmeter/protocol/http/control/DNSCacheManagerTest.kt @@ -120,7 +120,7 @@ class DNSCacheManagerTest { fun `Valid DNS resolves and caches with custom resolve true`() { assumeLocalDnsResolverOK() for (dns in VALID_DNS_SERVERS) { - sut.addServer(dns) + sut.addServer(dns.hostString) } sut.isCustomResolver = true sut.timeoutMs = 5000 @@ -134,7 +134,7 @@ class DNSCacheManagerTest { fun `Cache should be used where entries exist`() { assumeLocalDnsResolverOK() for (dns in VALID_DNS_SERVERS) { - sut.addServer(dns) + sut.addServer(dns.hostString) } sut.isCustomResolver = true sut.timeoutMs = 5000 From 184d191c13c40e66fb7cc855e3bd5368870859a2 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 13:27:18 +0300 Subject: [PATCH 10/11] fix(deps): bump tika-core to 2.9.4 and drop tika-parsers Fixes CVE-2025-66516 (CVSS 10.0 Critical) in tika-core and CVE-2025-54988 + CVE-2025-66516 in tika-parsers. The 1.x line received no patch; both CVEs are addressed in 2.x. JMeter only uses tika-core's `Tika.detect` (HTTPFileArg, ParseCurlCommandAction) and the AutoDetectParser API (Document.java). Those APIs are stable across 1.x -> 2.x for our usage, so the bump is source-compatible. tika-parsers is removed from src/core/build.gradle.kts and src/protocol/http/build.gradle.kts (mirrors master commit 23fa6d530). The 1.x parsers monolith was never wired into the public JMeter API, and Tika 2.x restructured it across many sub-modules. Dropping the dependency entirely avoids pulling those transitives into the release distribution and side-steps the parsers CVEs without bumping to the 2.x parsers-standard-package. Verified: ./gradlew -Prelease --continue build on JDK 8. --- src/bom-thirdparty/build.gradle.kts | 3 +-- src/core/build.gradle.kts | 5 ----- src/dist/src/dist/expected_release_jars.csv | 3 +-- src/protocol/http/build.gradle.kts | 5 ----- 4 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index 51e6b5cdd4a..267dcfa9f15 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -112,8 +112,7 @@ dependencies { api("org.apache.logging.log4j:log4j-core:2.25.4") api("org.apache.logging.log4j:log4j-slf4j-impl:2.25.4") api("org.apache.rat:apache-rat:0.15") - api("org.apache.tika:tika-core:1.28.5") - api("org.apache.tika:tika-parsers:1.28.5") + api("org.apache.tika:tika-core:2.9.4") api("org.apache.velocity:velocity:1.7") api("org.apache.xmlgraphics:batik-anim:1.17") api("org.apache.xmlgraphics:batik-awt-util:1.17") diff --git a/src/core/build.gradle.kts b/src/core/build.gradle.kts index 38fa682e8e6..101ef4b483c 100644 --- a/src/core/build.gradle.kts +++ b/src/core/build.gradle.kts @@ -101,14 +101,9 @@ dependencies { because("Mean, DescriptiveStatistics") } implementation("org.apache.commons:commons-text") - // For some reason JMeter bundles just tika-core and tika-parsers without transitive - // dependencies. So we exclude those implementation("org.apache.tika:tika-core") { isTransitive = false } - runtimeOnly("org.apache.tika:tika-parsers") { - isTransitive = false - } implementation("org.apache.xmlgraphics:xmlgraphics-commons") implementation("org.freemarker:freemarker") implementation("org.jodd:jodd-core") diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index 414ef4247d2..e79dfeae8c6 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -127,8 +127,7 @@ 320794,svgSalamander-1.1.4.jar 10192,swing-extensions-laf-support-0.1.3.jar 2539,swing-extensions-visual-padding-0.1.3.jar -736051,tika-core-1.28.5.jar -1588025,tika-parsers-1.28.5.jar +744600,tika-core-2.9.4.jar 3455761,xalan-2.7.3.jar 1446149,xercesImpl-2.12.2.jar 220536,xml-apis-1.4.01.jar diff --git a/src/protocol/http/build.gradle.kts b/src/protocol/http/build.gradle.kts index 2b1dd7f1aca..9d0a627cbeb 100644 --- a/src/protocol/http/build.gradle.kts +++ b/src/protocol/http/build.gradle.kts @@ -80,12 +80,7 @@ dependencies { testImplementation(testFixtures(projects.src.core)) testImplementation(testFixtures(projects.src.testkitWiremock)) testImplementation("com.github.tomakehurst:wiremock-jre8") - // For some reason JMeter bundles just tika-core and tika-parsers without transitive - // dependencies. So we exclude those implementation("org.apache.tika:tika-core") { isTransitive = false } - runtimeOnly("org.apache.tika:tika-parsers") { - isTransitive = false - } } From 43b265402978aa8fe52c2d43b3895ae3aad89cc5 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov Date: Sun, 24 May 2026 14:32:51 +0300 Subject: [PATCH 11/11] fix(deps): bump org.apache.commons:commons-lang3 to 3.18.0 Fixes CVE-2025-48924 (CVSS 6.5 Medium): commons-lang3 ClassUtils.getClass(String) recursed without bound on crafted input, allowing denial of service via StackOverflowError. The patch is in 3.18.0; no earlier 3.x fix was released. 3.18.0 deprecated a handful of widely-used helpers (ObjectUtils.defaultIfNull, StringUtils.startsWith/endsWith/endsWithIgnoreCase/containsAnyIgnoreCase/replace, RegExUtils.replaceAll, RandomStringUtils.random). Since `-Werror` is on, each call site is annotated with @SuppressWarnings("deprecation") at the narrowest scope that still compiles. A follow-up commit can rewrite those call sites to core Java once the dependency is gone (see master's b362137 for the pattern). Verified: ./gradlew -Prelease --continue build on JDK 8. --- src/bom-thirdparty/build.gradle.kts | 2 +- .../main/java/org/apache/jmeter/gui/action/RawTextSearcher.java | 1 + .../src/main/java/org/apache/jmeter/gui/util/JMeterToolBar.java | 1 + .../apache/jmeter/report/processor/ApdexSummaryConsumer.java | 1 + src/dist/src/dist/expected_release_jars.csv | 2 +- .../src/main/java/org/apache/jmeter/functions/RandomString.java | 1 + .../src/main/java/org/apache/jorphan/gui/ObjectTableSorter.java | 2 ++ .../org/apache/jmeter/protocol/bolt/sampler/BoltSampler.java | 1 + .../jmeter/protocol/http/util/GraphQLRequestParamUtils.java | 1 + .../jmeter/protocol/http/util/TestGraphQLRequestParamUtils.java | 1 + .../org/apache/jmeter/protocol/jdbc/sampler/JDBCSampler.java | 1 + 11 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts index 267dcfa9f15..67420c48a3a 100644 --- a/src/bom-thirdparty/build.gradle.kts +++ b/src/bom-thirdparty/build.gradle.kts @@ -96,7 +96,7 @@ dependencies { api("org.apache.commons:commons-dbcp2:2.9.0") api("org.apache.commons:commons-jexl3:3.2.1") api("org.apache.commons:commons-jexl:2.1.1") - api("org.apache.commons:commons-lang3:3.14.0") + api("org.apache.commons:commons-lang3:3.18.0") api("org.apache.commons:commons-math3:3.6.1") api("org.apache.commons:commons-pool2:2.12.0") api("org.apache.commons:commons-text:1.11.0") diff --git a/src/core/src/main/java/org/apache/jmeter/gui/action/RawTextSearcher.java b/src/core/src/main/java/org/apache/jmeter/gui/action/RawTextSearcher.java index 946e9c3163e..81f9054ee0d 100644 --- a/src/core/src/main/java/org/apache/jmeter/gui/action/RawTextSearcher.java +++ b/src/core/src/main/java/org/apache/jmeter/gui/action/RawTextSearcher.java @@ -42,6 +42,7 @@ public RawTextSearcher(boolean caseSensitive, String textToSearch) { * {@inheritDoc} */ @Override + @SuppressWarnings("deprecation") public boolean search(List textTokens) { return textTokens.stream() .filter(StringUtils::isNotEmpty) diff --git a/src/core/src/main/java/org/apache/jmeter/gui/util/JMeterToolBar.java b/src/core/src/main/java/org/apache/jmeter/gui/util/JMeterToolBar.java index 73a59b33b49..c7399136dc3 100644 --- a/src/core/src/main/java/org/apache/jmeter/gui/util/JMeterToolBar.java +++ b/src/core/src/main/java/org/apache/jmeter/gui/util/JMeterToolBar.java @@ -154,6 +154,7 @@ private static JButton makeButtonItemRes(IconToolbarBean iconBean) throws Except return button; } + @SuppressWarnings("deprecation") private static Icon loadIcon(IconToolbarBean iconBean, String iconPath) throws URISyntaxException { final URL imageURL = JMeterUtils.class.getClassLoader().getResource(iconPath); if (imageURL == null) { diff --git a/src/core/src/main/java/org/apache/jmeter/report/processor/ApdexSummaryConsumer.java b/src/core/src/main/java/org/apache/jmeter/report/processor/ApdexSummaryConsumer.java index 6fc9144ae06..e5508af46b4 100644 --- a/src/core/src/main/java/org/apache/jmeter/report/processor/ApdexSummaryConsumer.java +++ b/src/core/src/main/java/org/apache/jmeter/report/processor/ApdexSummaryConsumer.java @@ -52,6 +52,7 @@ public ApdexSummaryConsumer() { } @Override + @SuppressWarnings("deprecation") protected ListResultData createDataResult(String key, ApdexSummaryData data) { Double apdex = getApdex(data); ApdexThresholdsInfo thresholdsInfo = data.getApdexThresholdInfo(); diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv index e79dfeae8c6..b12994c33ce 100644 --- a/src/dist/src/dist/expected_release_jars.csv +++ b/src/dist/src/dist/expected_release_jars.csv @@ -32,7 +32,7 @@ 267634,commons-jexl-2.1.1.jar 462124,commons-jexl3-3.2.1.jar 760623,commons-jvm-4.1.0.jar -657952,commons-lang3-3.14.0.jar +702952,commons-lang3-3.18.0.jar 70816,commons-logging-1.3.0.jar 2213560,commons-math3-3.6.1.jar 322780,commons-net-3.10.0.jar diff --git a/src/functions/src/main/java/org/apache/jmeter/functions/RandomString.java b/src/functions/src/main/java/org/apache/jmeter/functions/RandomString.java index e0528d1c770..af1c36e652d 100644 --- a/src/functions/src/main/java/org/apache/jmeter/functions/RandomString.java +++ b/src/functions/src/main/java/org/apache/jmeter/functions/RandomString.java @@ -71,6 +71,7 @@ public RandomString() { /** {@inheritDoc} */ @Override + @SuppressWarnings("deprecation") public String execute(SampleResult previousResult, Sampler currentSampler) throws InvalidVariableException { diff --git a/src/jorphan/src/main/java/org/apache/jorphan/gui/ObjectTableSorter.java b/src/jorphan/src/main/java/org/apache/jorphan/gui/ObjectTableSorter.java index cd7bf6f8510..dacf429e71f 100644 --- a/src/jorphan/src/main/java/org/apache/jorphan/gui/ObjectTableSorter.java +++ b/src/jorphan/src/main/java/org/apache/jorphan/gui/ObjectTableSorter.java @@ -146,6 +146,7 @@ public ObjectTableSorter fixLastRow() { * @param comparator Column value comparator. * @return this */ + @SuppressWarnings("deprecation") public ObjectTableSorter setValueComparator(int column, Comparator comparator) { invalidate(); valueComparators[column] = ObjectUtils.defaultIfNull(comparator, getDefaultComparator(column)); @@ -183,6 +184,7 @@ protected Comparator getDefaultComparator(int column) { * difference * @return this */ + @SuppressWarnings("deprecation") public ObjectTableSorter setFallbackComparator(Comparator comparator) { invalidate(); fallbackComparator = ObjectUtils.defaultIfNull(comparator, Comparator.comparingInt(Row::getIndex)); diff --git a/src/protocol/bolt/src/main/java/org/apache/jmeter/protocol/bolt/sampler/BoltSampler.java b/src/protocol/bolt/src/main/java/org/apache/jmeter/protocol/bolt/sampler/BoltSampler.java index 78f2a413381..83fd32db023 100644 --- a/src/protocol/bolt/src/main/java/org/apache/jmeter/protocol/bolt/sampler/BoltSampler.java +++ b/src/protocol/bolt/src/main/java/org/apache/jmeter/protocol/bolt/sampler/BoltSampler.java @@ -124,6 +124,7 @@ private String execute(Driver driver, String cypher, Map params, } } + @SuppressWarnings("deprecation") private static SampleResult handleException(SampleResult res, Exception ex) { res.setResponseMessage(ex.toString()); if (ex instanceof Neo4jException) { diff --git a/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/util/GraphQLRequestParamUtils.java b/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/util/GraphQLRequestParamUtils.java index f64ba780992..d4ff8e79f47 100644 --- a/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/util/GraphQLRequestParamUtils.java +++ b/src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/util/GraphQLRequestParamUtils.java @@ -46,6 +46,7 @@ /** * Utilities to (de)serialize GraphQL request parameters. */ +@SuppressWarnings("deprecation") public final class GraphQLRequestParamUtils { public static final String VARIABLES_FIELD = "variables"; diff --git a/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/util/TestGraphQLRequestParamUtils.java b/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/util/TestGraphQLRequestParamUtils.java index 5ad929b5c13..c2f9237f71f 100644 --- a/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/util/TestGraphQLRequestParamUtils.java +++ b/src/protocol/http/src/test/java/org/apache/jmeter/protocol/http/util/TestGraphQLRequestParamUtils.java @@ -41,6 +41,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.json.JsonMapper; +@SuppressWarnings("deprecation") class TestGraphQLRequestParamUtils { private static final String OPERATION_NAME = ""; diff --git a/src/protocol/jdbc/src/main/java/org/apache/jmeter/protocol/jdbc/sampler/JDBCSampler.java b/src/protocol/jdbc/src/main/java/org/apache/jmeter/protocol/jdbc/sampler/JDBCSampler.java index 7c23db03a82..05d4ebad5cc 100644 --- a/src/protocol/jdbc/src/main/java/org/apache/jmeter/protocol/jdbc/sampler/JDBCSampler.java +++ b/src/protocol/jdbc/src/main/java/org/apache/jmeter/protocol/jdbc/sampler/JDBCSampler.java @@ -54,6 +54,7 @@ public JDBCSampler() { } @Override + @SuppressWarnings("deprecation") public SampleResult sample(Entry e) { SampleResult res = new SampleResult(); res.setSampleLabel(getName());