close

Spring Integration 4.3.23, 5.1.12, 5.2.8 & 5.3.2 available; CVE-2020-5413

Dear Spring community,

On behalf of the team and everyone who contributed, it is my pleasure to announce a number of maintenance releases for Spring Integration. Mostly these versions contain bug fixes and dependency upgrades.

CVE-2020-5413

The Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when the incoming data contains malicious code for execution during deserialization.

In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration calls kryo.setRegistrationRequired(true); (trust no one) by default and pre-configures out-of-the-box Message<?> implementations as trusted classes. All other types have to be registered with Kryo using any available KryoRegistrar strategy injected into a PojoCodec.

Credit: ChengGao, ZeZhiLin, Alibaba Cloud Intelligence Security Team https://www.aliyun.com/.

All the mentioned Spring Integration versions include the fix for this CVE; everybody who’s using Kryo support in Spring Integration is encouraged to upgrade respectively.

Cheers, 
Artem

Read more

Spring Data Neumann SR2, Moore SR9, and Lovelace SR19 available now

On behalf of the team, I’m pleased to announce a Spring Data release triple feature: Neumann SR2, Moore SR9, and Lovelace SR19. These service releases are built on top of Spring Framework releases 5.2.8 (Neumann and Moore) and 5.1.17 (Lovelace) and ship with mostly dependency upgrades and fixes, along with a few selected improvements.

Spring Data Neumann SR2 contains 70 improvements and fixes. Spring Data Moore SR9 ships with 35 fixes and improvements. Last, Spring Data Lovelace SR19 includes 23 selected fixes.

Read more

Spring Framework 5.2.8, 5.1.17, 5.0.18, and 4.3.28 available now

On behalf of the team and everyone who has contributed, I am pleased to announce a full round of Spring Framework releases.

Spring Framework 5.2.8 includes 36 fixes and improvements. Spring Framework 5.1.17 includes 15 selected fixes and improvements.

The maintenance release for 5.0.x (5.0.18) ships with 13 selected fixes and improvements. The 4.3.x branch (4.3.28) also ships with 13 selected fixes and improvements, including a CORS configuration change (see gh-25414 and the CORS section of the reference documentation for more details).

Read more

Spring Initializr 0.9.0 available now

On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Initializr 0.9.0 has been released and is now available from repo.spring.io and Maven Central.

This release includes 34 fixes, improvements and dependency upgrades.
Thanks to all those who have contributed with issue reports and pull requests.

For full upgrade instructions and new and noteworthy features please see the release notes.

GitHub | Issues | Documentation | Stack Overflow | Gitter

Read more

Introducing Java Functions for Spring Cloud Stream Applications - Part 0

We are happy to announce the release of Spring Cloud Stream applications 2020.0.0-M2. This release is a complete overhaul of the legacy Spring Cloud Stream App Starters. Starting with this release, we are moving away from theme-oriented release train names (famous scientists in alphabetical order) to calendar based versioning. The current GA release is called Einstein, and we are pleased to introduce 2020.0.0-M2. We are also moving away from the app starters. Having reorganized, repackaged, and (in some cases) rewritten the underlying code, we now have a new Git repository: spring-cloud/stream-applications: Functions and Spring Cloud Stream Applications for data driven microservices.

Read more

Spring Security 5.4.0-M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.4.0-M2! You can find the complete details in the release notes and the highlights below:

OAuth 2.0

gh-8700 - OAuth2AuthorizedClientArgumentResolver picks up OAuth2AuthorizedClientManager bean
gh-8730 - Add JWTProcessor Configuration Post-Processor
gh-8669 - OAuth2AuthorizedClientArgumentResolver for XML
gh-8587 - Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
gh-8603 - oauth2Client Test Support no longer requires an HttpSessionOAuth2AuthorizedClientRepository
gh-8501 - Add issuerUri to ClientRegistration
Read more

Spring Boot 2.4.0-M1 is now available

On behalf of the team and everyone that contributed, I am pleased to announce that the first milestone of Spring Boot 2.4 has been released and is available from our milestone repository. This release closes over 120 issues and pull requests.

Please note the slight change in the format of the version. 2.4.0-M1 is the first Spring Boot release to use the new versioning scheme.

With Spring Boot 2.4, we have switched to a 6-month release cadence. All being well, you can expect to see 2.4.0 reach general availability in October or November.

Read more

Spring Integration 5.4 M1 Available

Dear Spring community,

On behalf of the team and everyone who contributed, it is my pleasure to announce the first milestone for Spring Integration 5.4 generation.

It can be downloaded from our milestone repository:

compile 'org.springframework.integration:spring-integration-core:5.4.0-M1'

The Spring Integration 5.4 generation is full based on recently released Spring Framework 5.3 M1 including all the deprecation resolutions, removal some obsolete API and aggressive upgrade the latest versions for dependencies.

Read more

Spring Batch 4.3.0-M1 is released now!

On behalf of the Spring Batch team, I am pleased to announce that Spring Batch 4.3.0-M1 is now available from our milestone repository.

What’s new?

This release is packed with new features, performance improvements, and bug fixes, as well as documentation and dependency updates! You can find the complete list of changes in the release notes, but here are the major highlights:

New features

1. New synchronized ItemStreamWriter

Similar to the SynchronizedItemStreamReader, we added a SynchronizedItemStreamWriter. This feature is useful in multi-threaded steps where concurrent threads need to be synchronized to not override each other’s writes.

Read more

First milestone of Spring Data 2020.0 available

On behalf of the Spring Data team, I’m happy to announce the first milestone of the 2020.0 (Code name “Ockham”) release train, 2020.0.0-M1. This release ships with over 120 tickets fixed. This Spring Data release is the first release using calver as an update to the release train version scheme.

The most notable new features are:

  • Support for RxJava 3
  • Introduction of org.springframework.data:spring-data-bom, which replaces org.springframework.data:spring-data-releasetrain

You can find a curated changelog in our release train wiki or skim through a full list of changes in JIRA.

Read more