fix(deps): update dependency org.springframework:spring-core to v6 [security] #29
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.1.4.RELEASE
->6.1.14
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2018-1257
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
CVE-2018-1270
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CVE-2018-1271
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CVE-2018-1272
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
CVE-2018-1275
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CVE-2016-5007
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x (as well as other unsupported versions) rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CVE-2014-3578
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
CVE-2015-5211
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
CVE-2024-38827
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Release Notes
spring-projects/spring-framework (org.springframework:spring-core)
v6.1.14
⭐ New Features
QualifierAnnotationAutowireCandidateResolver
#33580MethodArgumentTypeMismatchException
error message #33573🐞 Bug Fixes
MethodParameter.getMethod()
check inKotlinDelegate.hasDefaultValue()
#33609AotTestExecutionListener
should not be invoked for a@DisabledInAotMode
test class #33589org.springframework.util.ResourceUtils#toRelativeURL
drops customURLStreamHandler
#33561ZoneIdEditor
throws wrong exception type forTypeConverterSupport
#33545@Cacheable
throwsNullPointerException
whenRuntimeException
is thrown inside annotated code #33492HttpComponentsClientHttpResponse
ignoresExpires
cookie attribute #33157📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@arey, @asibross, @boulce, @drdpov, @hosamaly, @ilya40umov, @izeye, and @junhyeongkim2
v6.1.13
⭐ New Features
result
inWebAsyncManager
#33406🐞 Bug Fixes
Rendering
#33498📔 Documentation
-debug
compiler flag in reference manual #33453@ImportResource
in the reference manual #33446@RequestBody
#33409🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@dancer1325, @izeye, and @yfoel
v6.1.12
⭐ New Features
@javax.inject.Named
annotation #33345🐞 Bug Fixes
SimpleEvaluationContext
does not enforce read-only semantics #33319Object[]
when invoking varargs method #33317Indexer
silently ignores failure to set property as index #33310@Scheduled
method in test class not supported anymore #33286@JmsListener
response messages #33221ConversionService
cannot convert primitive array toObject[]
#33212@Cacheable
#33210MethodHandle
function with a primitive array #33198AopUtils
#33045📔 Documentation
RestClient
documentation #33350🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@GoncaloPT, @crusherd, @genuss, @kashike, @ngocnhan-tran1996, @olbinski, @pcvolkmer, @sheip9, @tafjwr, and @underbell
v6.1.11
⭐ New Features
MethodHandle
is notnull
in SpEL'sReflectionHelper
#33193PrematureCloseException
during response #33127getTypeForFactoryMethod
should catchNoClassDefFoundError
#33075🐞 Bug Fixes
MethodHandle
function with an array #33191MethodHandle
function with zero variable arguments #33190java.nio.file.Path
(and plain "." value resolves to classpath root) #33124@Transactional
#33095LocalContainerEntityManagerFactoryBean
initialization fails in case of null bean definition #33082ReactorNettyClientRequest.convertException
should include original exception if cause isnull
#33080Object...
varargs method #33013📔 Documentation
ModelMap
is not a supported argument type in WebFlux #33107InputStreamResource
for content length bypass #33089🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@TAKETODAY, @hunhee98, @imvtsl, @snussbaumer, and @zizare
v6.1.10
⭐ New Features
PersistenceExceptionTranslator
bean retrieval inPersistenceExceptionTranslationInterceptor
on shutdown #33067DisconnectedClientHelper
#33064🐞 Bug Fixes
@Autowired
@Bean
method with@Value
parameter #33030📔 Documentation
❤️ Contributors
Thank you to all the contributors who worked on this release:
@tafjwr
v6.1.9
⭐ New Features
@TenantId
#32967🐞 Bug Fixes
canEncode()
forJAXBElement
inJaxb2XmlEncoder
#32977@Valid
annotations on container elements for handler argument validation not supported #32964StringUtils#cleanPath
#32962@CacheEvict
condition uses wrapper comparison instead of actual objects #32960ReactorResourceFactory
not working with CRaC onRefresh checkpoint #32945Integer
#32908Map
with a primitive #32903@EnableTransactionManagement
(mode = AdviceMode.ASPECTJ) #32882📔 Documentation
RegisterReflectionForBinding
Javadoc #32947MethodValidationPostProcessor
is missing astatic
keyword #32929KotlinDetector.isKotlinType
documentation for Kotlin 2.x lambdas #32905🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Attacktive, @Seungpang, @deblockt, @hlmg, @ozooxo, @soglad, and @ypyf
v6.1.8
⭐ New Features
🐞 Bug Fixes
@DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME)
cannot convert UTC without milliseconds tojava.util.Date
#32856@Configurable
aspect #32838📔 Documentation
❤️ Contributors
Thank you to all the contributors who worked on this release:
@rwinch
v6.1.7
⭐ New Features
@Aspect
classes for Spring AOP proxy usage #32793🐞 Bug Fixes
AnnotationConfigWebApplicationContext
should propagateApplicationStartup
toBeanFactory
#32747PropertiesPropertySource.getPropertyNames()
#32742MergedAnnotations
search does not find container for repeatable annotation #32731ScopedProxyMode.TARGET\_CLASS
and advisors #32669📔 Documentation
ResponseCookie
#32663Flux<T>
return values #32630factory-method
does not always determine correct target type #32091@Order
behavior on types, bean methods, and config classes #30177@Transactional
re-entrant calls) #28299🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@LeMikaelF, @Seungpang, @izeye, @m4tt30c91, @remeio, and @yhao3
v6.1.6
⭐ New Features
JdbcUtils.getResultSetValue
#32601FactoryBean
type matching when usinggetBeanProvider
#32590@RequestParam
binding does not support params with an empty array "[]" suffix #32577Annotation
array cloning inTypeDescriptor
#32476Annotation
array inTypeDescriptor
#32405🐞 Bug Fixes
MethodIntrospector.selectMethods()
fails to detect bridge methods across ApplicationContexts #32586CompoundExpression
omits null-safe syntax in AST string representation of null-safe selection/projection in SpEL #32515FactoryBean
class not autowired in case oftargetType
mismatch #32489HeaderContentNegotiationStrategy.resolveMediaTypes()
throws unexpectedInvalidMimeTypeException
#32483📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Banuelorigni, @LinorDolev, @T45K, @izeye, @kilink, @quaff, and @qww1552
v6.1.5
⭐ New Features
ServletServerHttpResponse
#32361\*HttpMessageConverter#getContentLength
return value null safety #32325🐞 Bug Fixes
boolean
array #32400@Cacheable
#32370ServletResponseHttpHeaders#get
null handling #32362#root
or#this
is a non-public type #32356value class
parameters #32353constructor-impl
of Kotlinvalue class
is not called #32324HHH-17643
#32311Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.