Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency org.springframework.boot:spring-boot-autoconfigure to v2.7.12 [SECURITY] #708

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 28, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-autoconfigure (source) 2.7.5 -> 2.7.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

  • The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
  • The application makes use of Spring Boot's welcome page support, either static or templated.
  • Your application is deployed behind a proxy which caches 404 responses.

Your application is NOT vulnerable if any of the following are true:

  • Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
  • The application does not use Spring Boot's welcome page support.
  • You do not have a proxy which caches 404 responses.

Affected Spring Products and Versions

Spring Boot

3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14

Older, unsupported versions are also affected
Mitigation

Users of affected versions should apply the following mitigations:

  • 3.0.x users should upgrade to 3.0.7+
  • 2.7.x users should upgrade to 2.7.12+
  • 2.6.x users should upgrade to 2.6.15+
  • 2.5.x users should upgrade to 2.5.15+

Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.

Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.


Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-autoconfigure)

v2.7.12

Compare Source

🐞 Bug Fixes
  • Welcome page may return a 404 when an acceptable response cannot be produced #​35552
  • Invalid reference format error when tagging images using Podman #​35358
  • FactoryBean.getObject for non-singleton executed when resetting mocks #​35324
  • Can't use PEM encoded PKCS#8 EC keys with server.ssl.certificate-private-key #​35322
  • Webflux server gracefulshutdown throws NullPointerException #​35264
  • Health actuator mail details shows the port as -1 when using the default port #​35247
  • SessionRepositoryFilterConfiguration can cause early initialization of SessionRepository beans including Redis #​35240
  • Devtools main method search algorithm can find incorrect main method #​35214
  • When a WebFlux app is deployed to Cloud Foundry some metrics are lost and numerous beans are ineligible for post-processing #​35163
  • Liveness and readiness probes return down when lazy initialization is enabled #​35161
  • Treating a null Flyway-specific password as an empty string prevents the use of PGPASS for authentication #​35110
  • WebClient auto-configuration tries to use HttpComponentsClientHttpConnector when all required classes are not present #​34964
  • MinIdle and MaxValidationTime properties missing for R2DBC pools #​34724
📔 Documentation
  • Polish formatting of permitAll() endpoint security Kotlin example #​35454
  • Wrong anchors in Maven plugin documentation #​35371
  • Correct list of annotations that are equivalent to @SpringBootApplication #​35180
  • Harmonize references to application.yaml files in reference docs #​34628
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​JunJaBoy, @​aasaru, @​davin111, and @​ivandimitrov8080

v2.7.11

Compare Source

🐞 Bug Fixes
  • CloudFoundry integration does not use endpoint path mappings #​35085
  • Gradle Spring Boot plugin with Kotlin DSL does not support includeProjectDependencies in bootJar > layered > dependencies configuration #​35033
  • Banner placeholders use default values too soon #​34764
  • Cassandra default configuration substitutions don't resolve against configuration derived from spring.data.cassandra properties #​34643
  • ApplicationAvailability bean is auto-configured even if a custom one is already present #​34347
  • Nested test classes don't inherit properties from slice test annotations on enclosing class #​33317
📔 Documentation
  • Use current Neo4j version in Testcontainers-based examples #​34775
  • Clarify servlet container compatibility #​34697
  • Document that optional dependencies are included by default in fat jars built with Maven #​34636
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​SeasonPanPan, @​acktsap, @​dreis2211, @​jgslima, @​krzyk, and @​meistermeier

v2.7.10

Compare Source

🐞 Bug Fixes
  • Some of the deprecated spring.security.saml2.relyingparty.registration.*.identityprovider.* properties are ignored #​34525
  • Maven plugin uses timezone-local timestamps when outputTimestamp is used #​34424
  • Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #​34405
  • EmbeddedWebServerFactoryCustomizerAutoConfiguration should not run when embedded web server is not configured #​34332
  • Image builds with podman fail when image buildpacks are configured #​34324
  • org.springframework.boot.web.embedded.jetty.GracefulShutdown uses the wrong class to create its logger #​34220
  • StandardConfigDataResource can import the same file twice if the classpath includes '.' #​34212
📔 Documentation
  • Document support for Java 20 #​34642
  • Update two references to old APIs #​34567
  • Clarify conventions for custom error pages in WebFlux #​34534
  • Add documentation tip showing how to configure publishRegistry Maven properties from the command line #​34517
  • Document support for Gradle 8 #​34458
  • Document how to get socket location for image building configuration with podman #​34435
  • Fix typo in Encrypting Properties #​34386
  • Use plugins DSL consistently in Spring Boot Gradle Plugin docs #​34048
  • Add link to Failover starter #​32943
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​1993heqiang, @​anandmnair, @​anthonydahanne, @​dsyer, @​izeye, @​jongwooo, and @​terminux

v2.7.9

Compare Source

🐞 Bug Fixes
  • Maven Plugin's PropertiesMergingResourceTransformer closes InputStream when it should not do so #​34063
  • Actuator Health web endpoint broken with Gson and Java 17 #​34030
  • Dependency management for Mongo's Java Driver is incomplete #​33941
  • Using devtools with Reactive application results in slower restarts #​33855
  • Spies are not reset after test execution when using @SpyBean #​33830
  • Properties Migrator does not detect properties of Map type that are marked as deprecated #​27854
📔 Documentation
  • Updated documentation for @ConfigurationProperties bean naming rules #​34029
  • Restore "Use Jedis Instead of Lettuce" how-to documentation #​33994
  • Add Redis application properties example #​33965
  • Use Maven Central for release downloads in CLI installation documentation #​33962
  • Actuator section is missing from documentation overview #​33932
  • Add Javadoc since to OperationParameter.getAnnotation() #​33914
  • Document additional configuration that is required for spring.mvc.throw-exception-if-no-handler-found=true to be effective #​31660
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Anubhav-2000, @​enimiste, @​izeye, @​jprinet, @​marcel-wollschlaeger, @​mhalbritter, @​michaldo, and @​sannanansari

v2.7.8

Compare Source

⭐ Noteworthy

🐞 Bug Fixes

  • Devtools sets non-existent property spring.reactor.debug #​33858
  • Failing calls to reactive health indicators are not logged #​33774
  • Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #​33765
  • NPE in RabbitProperties when user is given, but password not #​33752
  • SDKMAN should not use repo.spring.io for releases #​33708
  • Homebrew and Scoop should not use repo.spring.io for releases #​33702
  • EndpointRequestMatcher should have a toString method #​33690
  • It is not possible to provide a custom TransactionProvider bean for JOOQ #​32899
  • SpringBootMockResolver causes AopTestUtils.getUltimateTargetObject to recurse until the stack overflows when it calls it with Spring Security's authentication manager bean #​32632
  • Inconsistent discovery of parameter names for selectors in custom actuator endpoints #​31240
  • @DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #​29526
  • Headless mode is forced when banner.* file is present. #​28803
  • Diagnostics are poor when the JMX port used by the Maven start goal is in use #​24044

📔 Documentation

  • Replace "via" in documentation and use "over" or "through" instead #​33878
  • Fix typo in kotlin getting started documentation #​33867
  • Update com.gorylenko.gradle-git-properties version to 2.4.1 in doc #​33838
  • Fix 'the the' typos #​33736
  • Fix typo in javadoc of org.springframework.boot.web.server.LocalServerPort #​33683
  • Fix a typo in the ExitCodeGenerator documentation #​33658
  • Fix typo in External Configuration documentation #​33630
  • Update getting started documentation to use @SpringBootApplication #​32795
  • Description of spring-boot-starter-websocket does not make it clear that it's Servlet-specific #​32493

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​BartR96, @​devrishal, @​dreis2211, @​izeye, @​josephlane, @​kvmw, @​mhalbritter, @​sannanansari, @​sdeleuze, @​yyjstudy, and @​zhangyanyue

v2.7.7

Compare Source

🐞 Bug Fixes

  • Fix typo in LocalDevToolsAutoConfiguration logging #​33569
  • Web server fails to start due to "Resource location must not be null" when attempting to use a PKCS 11 KeyStore #​32179

📔 Documentation

  • Improve gradle plugin tags documentation #​33614
  • Improve maven plugin tags documentation #​33609
  • Fix typo in tomcat accesslog checkExists doc #​33460
  • Document that the shutdown endpoint is not intended for use when deploying a war to a servlet container #​17398

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Artur-, @​aksh1618, @​cdanger, @​currenjin, @​jprinet, and @​shekharAggarwal

v2.7.6

Compare Source

🐞 Bug Fixes
  • ScheduledBeanLazyInitializationExcludeFilter is auto-configured even when annotation-based scheduled has not been enabled #​33283
  • SpringBootContextLoader prints banner twice when using a @ContextHierarchy #​33262
  • Properties migrator causes an application to fail to start if it tries to map a property whose metadata data entry contains an invalid configuration property name #​33249
  • Configuration property binding does not deal with bridge methods #​33211
  • Configuring management.server.port via a config tree results in a ConverterNotFoundException when the management context is refreshed #​33168
  • Dependency management for XMLUnit is incomplete #​32999
  • Spring Boot's Lettuce metrics enable histrograms by default and it's hard to switch them off #​32989
  • Dependency management for Selenium is incomplete #​32861
  • NumberFormatException when configuring spring.redis.sentinel.nodes with an IPv6 address #​32836
📔 Documentation
  • Align Tomcat multiple connectors example with recommendation to configure SSL declaratively #​33331
  • ConditionalOnClass not working for Bean methods on Java 8 #​33328
  • Actuator document is misleading about k8s startup probe #​33326
  • Link to Micrometer's @Timed documentation #​33265
  • Clarify use of the spring.cache.type property with Hazelcast #​33257
  • Example git.commit.time in the Actuator API documentation is thousands of years in the future #​33255
  • Links to Features describes sections that have moved elsewhere #​33213
  • Fix kafka streams auto start description typo in reference docs #​33101
  • OAuth 2 configuration example uses unrecognized value for authorization grant type #​33068
  • Fix typos in logging.adoc #​32820
  • Harmonize code sample in the "Type-safe Configuration Properties" section #​32818
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​EricGao888, @​biergit, @​dreis2211, @​eurythmia, @​hpoettker, @​iamgd67, @​izeye, @​jamessoun93, and @​sdeleuze


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

@renovate renovate bot force-pushed the renovate/maven-org.springframework.boot-spring-boot-autoconfigure-vulnerability branch from 4e23613 to 5581774 Compare June 14, 2023 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants