Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Spring security to 5.6.0 to fix WS-2016-7107 #25488

Merged
merged 1 commit into from
Nov 18, 2021
Merged

Update Spring security to 5.6.0 to fix WS-2016-7107 #25488

merged 1 commit into from
Nov 18, 2021

Conversation

backwind1233
Copy link
Contributor

WS-2016-7107

CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.

Location:
image

@ghost ghost added the azure-spring All azure-spring related issues label Nov 18, 2021
@backwind1233 backwind1233 removed the request for review from chenrujun November 18, 2021 02:30
@backwind1233 backwind1233 self-assigned this Nov 18, 2021
@backwind1233 backwind1233 added azure-spring-aad Spring active directory related issues. azure-spring-aad-b2c Spring active directory b2c related issues. Client This issue points to a problem in the data-plane of the library. labels Nov 18, 2021
@backwind1233 backwind1233 added this to the [2021] December milestone Nov 18, 2021
@backwind1233
Copy link
Contributor Author

/azp run java - spring - tests

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

chenrujun
chenrujun approved these changes Nov 18, 2021
View reviewed changes
Copy link

@chenrujun chenrujun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@stliu
Copy link
Member

stliu commented Nov 18, 2021

I think this should be port to our 4.0 branch as well?

@backwind1233
Copy link
Contributor Author

I think this should be port to our 4.0 branch as well?

@stliu The main branch will be merged into 4.0 branch in one day or two, it will cover this I think.

@backwind1233 backwind1233 merged commit d6b084b into Azure:main Nov 18, 2021
@backwind1233 backwind1233 deleted the 1118_cve_spring_gzh branch November 18, 2021 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenrujun chenrujun chenrujun approved these changes

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner

@hui1110 hui1110 Awaiting requested review from hui1110

@jialigit jialigit Awaiting requested review from jialigit

@JonathanGiles JonathanGiles Awaiting requested review from JonathanGiles JonathanGiles is a code owner

@moarychan moarychan Awaiting requested review from moarychan moarychan is a code owner

@samvaity samvaity Awaiting requested review from samvaity samvaity is a code owner

@saragluna saragluna Awaiting requested review from saragluna saragluna is a code owner

@stliu stliu Awaiting requested review from stliu

@yiliuTo yiliuTo Awaiting requested review from yiliuTo

Assignees

@backwind1233 backwind1233

Labels
azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues. azure-spring-aad-b2c Spring active directory b2c related issues. Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Milestone
[2021] December
Development

Successfully merging this pull request may close these issues.
3 participants
@backwind1233 @stliu @chenrujun