Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump spring.version from 2.5.6.SEC03 to 5.1.6.RELEASE #25

Closed
wants to merge 1 commit into from
Closed

[Security] Bump spring.version from 2.5.6.SEC03 to 5.1.6.RELEASE #25

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps spring.version from 2.5.6.SEC03 to 5.1.6.RELEASE.

Updates spring-webmvc from 2.5.6.SEC03 to 5.1.6.RELEASE

Release notes

Sourced from spring-webmvc's releases.

v5.1.6.RELEASE

⭐ New Features

  • Improve exception handling when Hibernate-related bean creation fails #22689
  • STOMP servers MUST handle a STOMP frame in the same manner as a CONNECT frame #22652
  • Performance improvement in RequestMappingInfo #22598
  • Skip more classes when processing beans in EventListenerMethodProcessor #22564
  • Jackson2Tokenizer ignores USE_BIG_DECIMAL_FOR_FLOATS deserialization feature #22510
  • Revisit XML schema handling for consistent local vs external resolution #22504
  • JdbcTemplate.extractOutputParameters should preserve order of parameters #22491
  • Lazy Session initialisation for JmsTransactionManager #22468
  • MappingJackson2MessageConverter with Jackson Smile #22444
  • Cannot define custom XmlFactory with Jackson2ObjectMapperBuilder.xml() #22428
  • Directly registered FactoryBeans are instantiated more aggressively than those defined via [@​Bean](https://github.com/Bean) methods #22409
  • Provide additional debug information for memory leaks via ByteBuf.touch [SPR-17427] #21960
  • Suppress Reactor Netty "disconnected client" exceptions the logs [SPR-17257] #21790

🪲 Bug Fixes

  • JdbcOperationsExtensions.queryForObject overload which takes in lambda - allow null value to be returned? #22682
  • Avoid duplicate registration of [@​ControllerAdvice](https://github.com/ControllerAdvice) implementing both RequestBodyAdvice and ResponseBodyAdvice #22638
  • Locale inconsistently resolves to null for invalid input value #22603
  • Jackson2ObjectMapperBuilder's modulesToInstall function does not eventually override the default configuration #22576
  • ServletWebRequest.getHeaderValues throwing NPE when header information is not available #22547
  • Fix repeat DataBuffer#write(CharSequence, Charset) calls #22484
  • Last-Modified Date format changed with SPR-17571 to not have double digit day #22478
  • [@​RequestMapping](https://github.com/RequestMapping) content negotiation should not impact error responses formats #22452
  • AbstractTraceInterceptor causes problems when implemented in Kotlin #22435
  • Events extending from PayloadApplicationEvent and implementing an interface fail to match [@​EventListener](https://github.com/EventListener) argument #22426
  • ReflectUtils.defineClass() ignores the ClassLoader argument in Java 11 #22416
  • DefaultConversionService fails to properly convert an Object[] to a int[] #22410
  • Ensure indexer gracefully handle missing meta annotations #22385

📔 Documentation

  • Update documentation for WebJar support #22613
  • remove broken link "overview.html#background-ioc" in doc core.html #22597
  • PDF Documentation Spring-Core 5.1.5: Occurrences of a STRONG tag, where we should see a bold font #22577
  • Using MockMvc to test Flux endpoints? #22544
  • Documentation about aspectj and agent configuration is outdated and confusing #22429
  • Add guidelines about using checked exception with proxies in Kotlin #22412

🔨 Dependency Upgrades

  • Upgrade to reactor-netty 0.8.6 for Webflux #22693

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)
Commits

Updates spring-core from 2.5.6.SEC03 to 5.1.6.RELEASE. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core and org.springframework.security:spring-security-core
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Affected versions: < 4.3.1

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Affected versions: < 3.2.14

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Affected versions: < 4.3.16

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Affected versions: < 4.3.15

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected versions: < 4.3.15

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected versions: < 4.3.16

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Affected versions: < 4.3.17

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Affected versions: < 3.2.18

Release notes

Sourced from spring-core's releases.

v5.1.6.RELEASE

⭐ New Features

  • Improve exception handling when Hibernate-related bean creation fails #22689
  • STOMP servers MUST handle a STOMP frame in the same manner as a CONNECT frame #22652
  • Performance improvement in RequestMappingInfo #22598
  • Skip more classes when processing beans in EventListenerMethodProcessor #22564
  • Jackson2Tokenizer ignores USE_BIG_DECIMAL_FOR_FLOATS deserialization feature #22510
  • Revisit XML schema handling for consistent local vs external resolution #22504
  • JdbcTemplate.extractOutputParameters should preserve order of parameters #22491
  • Lazy Session initialisation for JmsTransactionManager #22468
  • MappingJackson2MessageConverter with Jackson Smile #22444
  • Cannot define custom XmlFactory with Jackson2ObjectMapperBuilder.xml() #22428
  • Directly registered FactoryBeans are instantiated more aggressively than those defined via [@&#8203;Bean](https://github.com/Bean) methods #22409
  • Provide additional debug information for memory leaks via ByteBuf.touch [SPR-17427] #21960
  • Suppress Reactor Netty "disconnected client" exceptions the logs [SPR-17257] #21790

🪲 Bug Fixes

  • JdbcOperationsExtensions.queryForObject overload which takes in lambda - allow null value to be returned? #22682
  • Avoid duplicate registration of [@&#8203;ControllerAdvice](https://github.com/ControllerAdvice) implementing both RequestBodyAdvice and ResponseBodyAdvice #22638
  • Locale inconsistently resolves to null for invalid input value #22603
  • Jackson2ObjectMapperBuilder's modulesToInstall function does not eventually override the default configuration #22576
  • ServletWebRequest.getHeaderValues throwing NPE when header information is not available #22547
  • Fix repeat DataBuffer#write(CharSequence, Charset) calls #22484
  • Last-Modified Date format changed with SPR-17571 to not have double digit day #22478
  • [@&#8203;RequestMapping](https://github.com/RequestMapping) content negotiation should not impact error responses formats #22452
  • AbstractTraceInterceptor causes problems when implemented in Kotlin #22435
  • Events extending from PayloadApplicationEvent and implementing an interface fail to match [@&#8203;EventListener](https://github.com/EventListener) argument #22426
  • ReflectUtils.defineClass() ignores the ClassLoader argument in Java 11 #22416
  • DefaultConversionService fails to properly convert an Object[] to a int[] #22410
  • Ensure indexer gracefully handle missing meta annotations #22385

📔 Documentation

  • Update documentation for WebJar support #22613
  • remove broken link "overview.html#background-ioc" in doc core.html #22597
  • PDF Documentation Spring-Core 5.1.5: Occurrences of a STRONG tag, where we should see a bold font #22577
  • Using MockMvc to test Flux endpoints? #22544
  • Documentation about aspectj and agent configuration is outdated and confusing #22429
  • Add guidelines about using checked exception with proxies in Kotlin #22412

🔨 Dependency Upgrades

  • Upgrade to reactor-netty 0.8.6 for Webflux #22693

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)
Commits

Updates spring-aop from 2.5.6.SEC03 to 5.1.6.RELEASE

Release notes

Sourced from spring-aop's releases.

v5.1.6.RELEASE

⭐ New Features

  • Improve exception handling when Hibernate-related bean creation fails #22689
  • STOMP servers MUST handle a STOMP frame in the same manner as a CONNECT frame #22652
  • Performance improvement in RequestMappingInfo #22598
  • Skip more classes when processing beans in EventListenerMethodProcessor #22564
  • Jackson2Tokenizer ignores USE_BIG_DECIMAL_FOR_FLOATS deserialization feature #22510
  • Revisit XML schema handling for consistent local vs external resolution #22504
  • JdbcTemplate.extractOutputParameters should preserve order of parameters #22491
  • Lazy Session initialisation for JmsTransactionManager #22468
  • MappingJackson2MessageConverter with Jackson Smile #22444
  • Cannot define custom XmlFactory with Jackson2ObjectMapperBuilder.xml() #22428
  • Directly registered FactoryBeans are instantiated more aggressively than those defined via [@&#8203;Bean](https://github.com/Bean) methods #22409
  • Provide additional debug information for memory leaks via ByteBuf.touch [SPR-17427] #21960
  • Suppress Reactor Netty "disconnected client" exceptions the logs [SPR-17257] #21790

🪲 Bug Fixes

  • JdbcOperationsExtensions.queryForObject overload which takes in lambda - allow null value to be returned? #22682
  • Avoid duplicate registration of [@&#8203;ControllerAdvice](https://github.com/ControllerAdvice) implementing both RequestBodyAdvice and ResponseBodyAdvice #22638
  • Locale inconsistently resolves to null for invalid input value #22603
  • Jackson2ObjectMapperBuilder's modulesToInstall function does not eventually override the default configuration #22576
  • ServletWebRequest.getHeaderValues throwing NPE when header information is not available #22547
  • Fix repeat DataBuffer#write(CharSequence, Charset) calls #22484
  • Last-Modified Date format changed with SPR-17571 to not have double digit day #22478
  • [@&#8203;RequestMapping](https://github.com/RequestMapping) content negotiation should not impact error responses formats #22452
  • AbstractTraceInterceptor causes problems when implemented in Kotlin #22435
  • Events extending from PayloadApplicationEvent and implementing an interface fail to match [@&#8203;EventListener](https://github.com/EventListener) argument #22426
  • ReflectUtils.defineClass() ignores the ClassLoader argument in Java 11 #22416
  • DefaultConversionService fails to properly convert an Object[] to a int[] #22410
  • Ensure indexer gracefully handle missing meta annotations #22385

📔 Documentation

  • Update documentation for WebJar support #22613
  • remove broken link "overview.html#background-ioc" in doc core.html #22597
  • PDF Documentation Spring-Core 5.1.5: Occurrences of a STRONG tag, where we should see a bold font #22577
  • Using MockMvc to test Flux endpoints? #22544
  • Documentation about aspectj and agent configuration is outdated and confusing #22429
  • Add guidelines about using checked exception with proxies in Kotlin #22412

🔨 Dependency Upgrades

  • Upgrade to reactor-netty 0.8.6 for Webflux #22693

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-support
[Security] Bump spring.version from 2.5.6.SEC03 to 5.1.6.RELEASE
885d287 
Bumps `spring.version` from 2.5.6.SEC03 to 5.1.6.RELEASE.

Updates `spring-webmvc` from 2.5.6.SEC03 to 5.1.6.RELEASE
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits/v5.1.6.RELEASE)

Updates `spring-core` from 2.5.6.SEC03 to 5.1.6.RELEASE
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits/v5.1.6.RELEASE)

Updates `spring-aop` from 2.5.6.SEC03 to 5.1.6.RELEASE
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits/v5.1.6.RELEASE)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Apr 1, 2019
This was referenced Apr 1, 2019
Closed
Closed
Closed
@dependabot-preview
Copy link
Author

Superseded by #28.

@dependabot-preview dependabot-preview bot deleted the dependabot/maven/spring.version-5.1.6.RELEASE branch May 10, 2019 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dependabot-support