Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency org.springframework.boot:spring-boot-starter-web to v2 [security] #119

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency org.springframework.boot:spring-boot-starter-web to v2 [security] #119

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-starter-web (source) 1.5.22.RELEASE -> 2.5.12 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-22965

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Patches

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-web)

v2.5.12

Compare Source

🐞 Bug Fixes
  • MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath #​30456
📔 Documentation
  • Javadoc of org.springframework.boot.gradle.plugin.ResolveMainClassName.setClasspath(Object) is inaccurate #​30468
  • Document that @DefaultValue can be used on a record component #​30460
🔨 Dependency Upgrades
  • Upgrade to Jackson Bom 2.12.6.20220326 #​30477
  • Upgrade to Spring Framework 5.3.18 #​30491
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.11

Compare Source

⭐ New Features
🐞 Bug Fixes
  • Thymeleaf auto-configuration in a reactive application can fail due to duplicate templateEngine beans #​30384
  • ConfigurationPropertyName#equals is not symmetric when adapt has removed trailing characters from an element #​30317
  • server.tomcat.keep-alive-timeout is not applied to HTTP/2 #​30267
  • Setting spring.mustache.enabled to false has no effect #​30250
  • bootWar is configured eagerly #​30211
  • Actuator @ReadOperation on Flux cancels request after first element emitted #​30095
  • No metrics are bound for R2DBC ConnectionPools that have been wrapped #​30090
  • Unnecessary allocations in Prometheus scraping endpoint #​30085
  • Condition evaluation report entry for a @ConditionalOnSingleCandidate that does not match due to multiple primary beans isn't as clear as it could be #​30073
  • Generated password are logged without an "unsuitable for production use" note #​30061
  • Files in META-INF are not found when deploying a Gradle-built executable war to a servlet container #​30026
  • spring-boot-configuration-processor fails compilation due to @DefaultValue with a long value and generates invalid metadata for byte and short properties with out-of-range default values #​30020
  • Dependency management for Netty tcNative is incomplete leading to possible version conflicts #​30010
  • Dependency management for Apache Kafka is incomplete #​29023
📔 Documentation
  • Fix JsonSerializer example in reference guide #​30329
  • Default value of spring.thymeleaf.reactive.media-types is not documented #​30280
  • Add Netty in "Enable HTTP Response Compression" #​30234
  • Fix typo #​30118
  • Remove non-existent spring.data.cassandra.connection.connection-timeout property from the documentation #​30074
  • Use Gradle's task configuration avoidance APIs in the Gradle Plugin's reference docs #​30056
  • Polish web examples in reference doc #​30027
  • Improve property placeholder documentation to mention environment variables and default values #​30012
  • Use Gradle's task configuration avoidance APIs in the main reference docs #​30000
  • Document how to access the H2 Console in a secured web application #​29932
  • Add links to Spring Boot for Apache Geode to the reference documentation #​29697
  • Include default Dev Tools properties in the reference documentation #​29406
  • Document the WebSocket-related exclusions that are required to use Jetty 10 #​29275
  • Clarify type matching that is performed when using @MockBean and @SpyBean #​28656
  • Add documentation for spring.profiles.include #​28451
  • Document the scalar types supported by MapBinder #​27581
  • Document when config data properties are invalid #​25849
  • Document how to rely on ServletContext with an embedded container setup #​24561
  • Clarify that build plugins or the CLI does not have an auto-compile feature #​17851
  • Document how to structure configurations so that @Bean methods are included in slice tests #​16088
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.10

Compare Source

🐞 Bug Fixes
  • Default JmxAutoConfiguration changes JConsole hierarchy for multi-property @ManagedResource object names #​29953
  • The active profiles log message is ambiguous when a profile's name contains a comma #​29896
  • Failed application contexts are not deregistered from SpringApplicationShutdownHook #​29874
  • Gradle Plugin triggers eager configuration of some tasks #​29762
  • MimeMapping for ots has a trailing space in its mime type #​29746
  • Dependency management for Liquibase does not include its liquibase-cdi module #​29676
  • Ignore invalid stream types when reading log update events #​29675
  • bootJar, bootRun, and bootWar do not pick up changes to the main source set's runtime classpath that are made after Boot's plugin has been applied #​29672
  • @SpyBean causes BeanCurrentlyInCreationException when there are circular references #​29639
  • server.tomcat.use-relative-redirects=true not honored when server.forward-headers-strategy=framework #​29333
  • A fat jar built with Gradle moves META-INF beneath BOOT-INF/classes while Maven leaves it at the jar's root #​28562
📔 Documentation
  • bootRun example should use mainClass, rather than main which was deprecated in Gradle 7.1 #​29965
  • Rectify incorrect sanitizing regex example provided in how-to docs #​29951
  • "Customizing the Banner" should make it more obvious that any environment property can be used #​29931
  • Update javadoc to reflect move from WebSecurityConfigurerAdapter to SecurityFilterChain #​29900
  • Link directly to the Integration Properties section of the appendix when cross-referencing Kafka properties #​29758
  • Add documentation for WebMvc.fn #​29683
  • Move appendix subsections under appendix section #​29667
  • In Gradle plugin docs, replace classifier (deprecated) with archiveClassifier in examples #​29611
  • Clarify relation of import path to resultant properties in configtree import data #​29606
  • Upgrade version of gradle-git-properties in reference doc #​29535
  • Rename Boxfuse to CloudCaptain #​29523
  • Provide some guidance on identifying and resolving Devtools classloading issues #​29438
  • Warn about the dangers of early bean initialization when using @ConditionalOnExpression #​29276
  • Document that placeholders in @DefaultValue annotations are not resolved #​23164
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.9

Compare Source

🐞 Bug Fixes
  • ConfigurationPropertySources.attach will always reattach when called multiple times #​29409
  • 'spring.config.import' placeholders can resolve from profile-specific documents when they should fail #​29386
  • Embedded launch script fails if jar is owned by an unknown user #​29370
  • Maven repackaging of a jar with a deeply nested package is prohibitively slow #​29175
  • @SpringBootTest does not use spring.main.web-application-type properties declared in test resource files #​29169
  • Warning from AprLifecycleListener when using Tomcat Native and Tomcat 9.0.55 or later #​28814
📔 Documentation
  • Clarify documentation for RestTemplate customization #​29394
  • Refer to Maven Resolver rather than Aether #​29255
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.8

Compare Source

🐞 Bug Fixes
  • DatabaseInitializationDependencyConfigurer triggers eager initialization of factory beans #​28977
  • App fails to start when it depends on thymeleaf-extras-springsecurity5 but does not have Spring Security on the classpath #​28967
  • Platform used for Quartz, Session, Integration, and Batch schema initialization cannot be configured #​28932
  • Image buildpack references without tag do not default to latest version #​28921
  • The getter and setter that's used during configuration property binding varies when a getter or setter has been overridden to use a subclass of the property's type #​28917
  • Invalid classpath index manifest attribute in war files built with Maven #​28895
  • The name of the matching-strategy property is incorrect in the action message of the failure analysis for a PatternParseException #​28809
  • Dependency management for org.elasticsearch.distribution.integ-test-zip:elasticsearch should declare its type as zip #​28725
📔 Documentation
  • Polish Creating Your Own Auto-configuration section in Core Features reference doc #​29115
  • Polish CacheManager customization section in reference doc #​29094
  • Document that using DevTools with a remote application is not supported with WebFlux #​28955
  • 2.5.x snapshot documentation links to source code on the main branch #​28856
  • Polish README.adoc #​28835
  • Fix output of "spring --version" in reference documentation #​28831
  • Fix typos in the "External Application Properties" section #​28830
  • Improve deprecation notice on ResourceProperties to direct people to WebProperties for dependency injection and then getResources() #​28762
  • Add a package description for org.springframework.boot.actuate.metrics.data #​28756
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.7

Compare Source

🐞 Bug Fixes

  • Dependency management for JSTL is out of date #​28659
  • JUnit annotations may prevent a test context from being cached #​28565
  • Avoid duplicate AOP proxy class definition with FilteredClassLoader #​28531
  • Profiles added using @ActiveProfiles have different precedence #​28530
  • Logback should default to JVM's default charset instead of ASCII #​28486
  • When a parent context has method validation configuration, it isn't auto-configured in its child contexts #​28479
  • Prometheus actuator endpoint should produce a text/plain response unless application/openmetrics-text is explicitly accepted #​28446

📔 Documentation

  • Fix "Configure Two DataSources" example #​28712
  • Update URL for GraphQL Spring Boot starter #​28683
  • Fix @deprecated and @see in org.springframework.boot.loader.archive.Archive's javadoc #​28680
  • Configuration sample in reference doc has wrong yaml formatting #​28671
  • Fix yaml sample format in reference doc #​28670
  • Fix typo in "Ant-style path matching" #​28549
  • Change description of property "logging.logback.rollingpolicy.max-history" to match Logback documentation #​28466
  • Improve documentation on using an embedded ActiveMQ broker #​28434
  • Don't use markdown syntax in javadoc or error messages #​28424

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.6

Compare Source

🐞 Bug Fixes

  • Misleading failure analysis when jOOQ's DSLContext is unavailable due to R2DBC taking precedence over JDBC #​28379
  • When lazy initialization is enabled, JMX endpoints are not available #​28371
  • JarFileWrapper may cause many FinalReferences causing GC pressure #​28356
  • Flattened VCAP_SERVICES properties are not sanitized by default #​28353
  • MeterValue with "d" suffix not parsed as Duration for timer #​28351
  • CachingOperationInvoker cache can consume a significant amount of heap space #​28347
  • Devtools restart fails with in-memory R2DBC database and SQL initialization scripts #​28345
  • ActiveMQ starter depends on org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec #​28340
  • spring-boot-starter-oauth2-client has an unnecessary dependency on com.sun.mail:jakarta.mail #​28333
  • Layertools extract does not preserve last modified and last access times #​28190
  • NumberFormatException when configuring spring.rabbitmq.addresses with an IPv6 address #​28134
  • Broken content negotiation for OpenMetrics #​28130

📔 Documentation

  • Fix typo in EnvironmentPostProcessor's class-level javadoc #​28382
  • Remove obsolete info about Spring Integration's metrics support #​28375
  • Update docs to be explicit about dot notation being correctly mapped #​28201
  • Section 4.4 File Rotation mentions the wrong configuration file name for Log4j2 #​28193
  • Update Javadoc with note mentioning that class using ConstructorBinding must be enabled using annotations #​28171
  • Make it clearer that, when using @AutoConfigureTestEntityManager outside of @DataJpaTest, any tests using the test entity manager must be @Transactional #​28159

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.5

Compare Source

🐞 Bug Fixes

  • Actuator endpoints do not sanitize SPRING_APPLICATION_JSON by default #​28081
  • Startup failure due to non-empty schema when using Flyway and Spring Integration's DataSource initialization #​28079
  • Web MVC metrics may have the wrong status when a filter throws an exception other than NestedServletException #​28069
  • Embedded Undertow throws MalformedURLException when archive filename contains characters that are reserved in a URL #​28032
  • Concurrent image builds cause error deleting builder image #​27993
  • War deployment in standalone Tomcat causes memory leak (Metaspace) #​27987
  • IndexOutOfBoundsException when running a Zip64 jar file larger than 4,294,967,295 bytes #​27900
  • Azure App Service is not correctly detected on Windows #​27819
  • @MockBean combined with @Repeat results in "the field cannot have an existing value" error #​27798
  • NullPointerException in RoutingDataSourceHealthContributor when a routing data source has a target with a null routing key #​27698

📔 Documentation

  • Document that devtools restart doesn't work when using AspectJ weaving #​28083
  • Default value for spring.data.elasticsearch.client.reactive.endpoints is not documented #​28072
  • Clarify Selenium auto-configuration requires HtmlUnit #​27943
  • Document that spring-boot-starter-parent configures Java compilation to use -parameters #​27885
  • Fix inconsistent devtools doc #​27876
  • Fix typo in javadoc #​27873
  • Document how to parameterize output directory for REST Docs with WebTestClient #​27803
  • Document support for Java 17 #​26767

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.4

Compare Source

🐞 Bug Fixes

  • spring-boot-configuration-metadata leaks enforced dependency constraints into consuming builds #​27730
  • Potential NPE in TomcatMetricsBinder.findContext() #​27616
  • Cyclic bean definition when a Spring Data repository is a dependency of a MeterBinder #​27591
  • spring-boot:build-image hangs when exceptions are thrown during upload #​27535
  • WebTestClientContextCustomizerFactory causes an IllegalStateException when WebClient is on the classpath without a supported HTTP client #​27527
  • spring.security.dispatcher-types is not applied to Spring Security's filter when running in a separate management context #​27505
  • A URI with non-alpha characters in its scheme is not sanitized #​27488

📔 Documentation

  • Mention productionRuntimeClasspath in Gradle plugin's documentation #​27620
  • Fix typo in javadoc #​27618

🔨 Dependency Upgrades

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-org.springframework.boot-spring-boot-starter-web-vulnerability branch from 8af71d1 to b91069a Compare August 22, 2023 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants