Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency com.github.tomakehurst:wiremock-jre8 to v2.35.1 #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency com.github.tomakehurst:wiremock-jre8 to v2.35.1 #13

wants to merge 1 commit into from

Conversation

mend-for-jackfan.us.kg[bot]
Copy link

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot commented Sep 19, 2023
edited
Loading

This PR contains the following updates:

Package Type Update Change
com.github.tomakehurst:wiremock-jre8 (source) dependencies minor 2.34.0 -> 2.35.1

By merging this PR, the issue #8 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
Low Low 3.9 CVE-2023-41329

Unreachable

Release Notes

wiremock/wiremock (com.github.tomakehurst:wiremock-jre8)

v2.35.1: - Security Release

Compare Source

🔒 This is a security release that addresses the following issues

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @​W0rty, @​numacanedo, @​Mahoney, @​tomakehurst, @​oleg-nenashev

v2.35.0

Compare Source

Enhancements

  • Add a negative contains matcher - thanks Damian Orzepowski
  • Expose a Java API method for removing stubs by ID - thanks Patryk Fraczek
  • Document the import API in the OpenAPI doc - thanks to user i-whammy
  • Added the ability to restrict the addresses WireMock can proxy/record to, as a security measure.

Fixes

  • Strip Maven directories from the standalone JAR as some were appearing that weren't related to dependencies actually present, confusing scanning tools - thanks to user krageon
  • Dropped back to slf4j 1.7.36 and relocate it in the standalone JAR (ensuring 2.x users won't experience conflicts).
  • If you want to rebase/retry this PR, check this box

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the security fix Security fix generated by Mend label Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants