Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.springframework:spring-web to v6.1.12 [security] #233

Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 24, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-web 6.1.7 -> 6.1.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-38809

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.


Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.1.12

Compare Source

v6.1.11

⭐ New Features

  • Ensure varargs component type for MethodHandle is not null in SpEL's ReflectionHelper #​33193
  • Confusing WebClient exception message in case of Reactor-Netty PrematureCloseException during response #​33127
  • Include the bean name in the exception when an invalid factoryBeanObjectType attribute is found #​33117
  • Use error handler for reactive cache aspect #​33073
  • getTypeForFactoryMethod should catch NoClassDefFoundError #​33075

🐞 Bug Fixes

  • SpEL cannot invoke varargs MethodHandle function with an array #​33191
  • SpEL cannot invoke varargs MethodHandle function with zero variable arguments #​33190
  • Nested bean instance supplier invocation does not retain previous factory method #​33180
  • DefaultErrorResponseBuilder does not implement headers(Consumer) #​33156
  • Fix adaptation of violations on Set method parameter #​33150
  • Web controller call with invalid body resulting in 500 instead of 400 when using kotlinx-serialization #​33138
  • "file:." cannot be resolved to java.nio.file.Path (and plain "." value resolves to classpath root) #​33124
  • Mockito mock falsely initialized as CGLIB proxy with AspectJ aspect #​33113
  • Fix ClassCastException from return value validation with proxy when adaptConstraintViolations=true #​33105
  • Spring coroutines AOP is not compatible with @Transactional #​33095
  • ReactorClientHttpConnector creates new HttpClient for every request #​33093
  • Trace and Span IDs are no longer propagated RequestBodyAdvice beans #​33091
  • Early LocalContainerEntityManagerFactoryBean initialization fails in case of null bean definition #​33082
  • ReactorNettyClientRequest.convertException should include original exception if cause is null #​33080
  • SpEL incorrectly splits string arguments by comma for Object... varargs method #​33013
  • ProtobufMessageConverter fails to parse JSON payload if byte array is used #​27408

📔 Documentation

  • Harmonize phrasing in URI Encoding section #​33166
  • Document that ModelMap is not a supported argument type in WebFlux #​33107
  • Example in Method Injection section of Spring Framework documentation refers to wrong bean names #​33096
  • Resource writer doesn't consider subclasses of InputStreamResource for content length bypass #​33089
  • Improve documentation regarding encoding in FreeMarker support #​33071
  • Exception for validation failure in WebFlux does not match the documentation #​33061

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​TAKETODAY, @​hunhee98, @​imvtsl, @​snussbaumer, and @​zizare

v6.1.10

v6.1.9

⭐ New Features

  • CRaC: ignore checkpointOnRefresh afterRestore #​32978
  • Add missing hints for Hibernate @TenantId #​32967
  • AnnotationUtils performance degrades with deep stacks #​32921
  • Missing hints for Hibernate generators #​32842
  • AbstractAutoProxyCreator#determineBeanType can trigger bean initialization at build time for aspects implementing Ordered #​32230

🐞 Bug Fixes

  • Behaviour change in ScheduledAnnotationBeanPostProcessor: canceling scheduled tasks on ContextClosedEvent v6.0 -> v6.1 #​33009
  • ContentCachingRequestWrapper may allocate too much memory #​32987
  • Support canEncode() for JAXBElement in Jaxb2XmlEncoder #​32977
  • AspectJ CTW aspects executed twice #​32970
  • @Valid annotations on container elements for handler argument validation not supported #​32964
  • Add support for double backslashes to StringUtils#cleanPath #​32962
  • @CacheEvict condition uses wrapper comparison instead of actual objects #​32960
  • ConcurrentHashMap.computeIfAbsent used in AdvisedSupport can cause virtual thread pinning #​32958
  • Exception mapping does not work as expected when plugging in ReactorNettyClientRequestFactory into RestTemplate and RestClient #​32952
  • ReactorResourceFactory not working with CRaC onRefresh checkpoint #​32945
  • SpEL compilation fails when indexing into an array or list with an Integer #​32908
  • SpEL compilation fails when indexing into a Map with a primitive #​32903
  • BeanUtils.copyProperties no longer copies generic type properties from a base class that has been enhanced #​32888
  • Application not starting with @EnableTransactionManagement(mode = AdviceMode.ASPECTJ) #​32882
  • ReactorNettyClientResponse should not throw exception if no body is available #​32805
  • Observation in ServerHttpObservationFilter is never stopped for asynchronous requests #​32730

📔 Documentation

  • Fix typo in the Simple Broker section of the reference documentation #​32993
  • Remove outdated copyright from index.adoc #​32983
  • Use HttpStatusCode consistently in reference guide #​32966
  • Entity name in MappingSqlQuery example of reference guide is wrong #​32957
  • Fix RegisterReflectionForBinding Javadoc #​32947
  • Reference documentation sample for MethodValidationPostProcessor is missing a static keyword #​32929
  • Fix typo in Jakarta validation documentation #​32928
  • Refine KotlinDetector.isKotlinType documentation for Kotlin 2.x lambdas #​32905
  • Complete Kotlin example for HTTP message codecs in reference doc #​32877
  • Use Threadlocal.remove() instead of .set(null) in documentation #​32874
  • Unexpected bean override / inject behavior #​32825
  • Document why complex object structure are not supported as paremeters or properties by AOT #​32273

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Attacktive, @​Seungpang, @​deblockt, @​hlmg, @​ozooxo, @​soglad, and @​ypyf

v6.1.8

⭐ New Features

  • Avoid creation of SAXParserFactory for every read operation in Jaxb2Marshaller and co #​32851
  • Suppress deprecation warning for AOT-generated code that refers to a deprecated bean type #​32850

🐞 Bug Fixes

  • Overridden aspect method runs twice #​32865
  • @DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME) cannot convert UTC without milliseconds to java.util.Date #​32856
  • Spring AOP fails against registered @Configurable aspect #​32838
  • MockHttpServletRequest should not use a shared reader when no content is available #​32820

📔 Documentation

  • Modernize Antora Build #​32864
  • Modernize Antora Build #​32863
  • Refine CDS documentation #​32843
  • Revisit validation documentation to better explain when method validation is invoked #​32807

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​rwinch


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


Thanks for the PR!

Any successful deployments (not always required) will be available below.
API available

Once merged, code will be promoted and handed off to following workflow run.
Main Merge Workflow

@renovate renovate bot enabled auto-merge (squash) September 24, 2024 22:06
@github-actions github-actions bot added the fix label Sep 24, 2024
Copy link

Overall Project 99.48% 🍏

There is no coverage information present for the Files changed

@renovate renovate bot merged commit b612def into main Sep 24, 2024
12 checks passed
@renovate renovate bot deleted the renovate/maven-org.springframework-spring-web-vulnerability branch September 24, 2024 22:15
Copy link

Your Pull Request code is being promoted! Please follow the link below.
Main Merge Workflow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants