Engineering
Releases
News and Events

CVE-2014-3527 Fixed in Spring Security 3.2.5 and 3.1.7

Spring Security 3.2.5 (change log) and 3.1.7 (change log) have been released and are available in Maven Central. Important highlights of this release are:

  • This release contains a fix for CVE-2014-3527 which resolves an issue where a malicious CAS Service can impersonate another CAS Service when using proxy tickets.
  • This release updates the transitive dependencies of the cas module to cas-client-core which has a fix for CVE-2014-4172. This issue was not in Spring Security itself, but the library in which it depends on.

A special thanks to Scott Battaglia & the rest of the CAS team for relaying CVE-2014-3527 to the Spring Security team and coordinating with the Spring Security team on the CAS release to resolve CVE-2014-4172.

SpringOne 2GX 2014 is around the corner

Book your place at SpringOne in Dallas, TX for Sept 8-11 soon. It’s simply the best opportunity to find out first hand all that’s going on and to provide direct feedback. There will be deep dive sessions on the latest updates to Spring, Groovy, and Grails!

comments powered by Disqus