Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible.

UPDATES

• [05-17] Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction.

Spring Security 5.7.0 (release notes), 5.6.4 (release notes), 5.5.7 (release notes) have been released which fix

• CVE-2022-22978

• CVE-2022-22976.

Please update as soon as possible.

Project Site | Reference | Help

On behalf of the Data Team and everyone who contributed, I'm pleased to announce the GA release of the 2021.2 release train as well as the 4th Milestone of the 2022.0 one.

Already working on the 2022.0 train, based on Spring Framework 6, Java17 and Jakarta EE 9, the 2021.2 release ships bug fixes and selected back ported features.

Other than dependency upgrades, these are some of the major changes:

• Infrastructure to introspect a projection type.
• Common infrastructure for property-specific value converters.
• Improved support for IdClass handling in data-jpa.
• Declarative Update methods in data-mongodb.
• Reindexing support in data-elasticsearch.
• Direct projections for data-cassandra.
• ACL support for Redis Sentinels.
• Lock and Null precedence support for JDBC.
• Query Rewriter for JPA.
…

Hi, Spring fans! In this episode, Josh Long (@starbuxman) talks to fellow Java Champion, EasyMock engineer, and Java luminary, JUG leader, and legend Henri Tremblay (@henri_tremblay)

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.0.0-M4 is available now.

Spring Framework 6.0.0-M4 ships with all the fixes from 5.3.20 released yesterday, and also includes 39 fixes and improvements specific to the 6.0 branch.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 5.3.20 and 5.2.22 are available now.

Spring Framework 5.3.20 includes 14 fixes and improvements. Spring Framework 5.2.22 includes 2 backports.

In addition, these releases include fixes for 2 vulnerabilities:

• CVE-2022-22970 "Spring Framework DoS via Data Binding to MultipartFile or Servlet Part" Denial of Service (DoS) attack in Spring MVC or Spring WebFlux applications that handle file uploads and rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. Severity: Medium

• CVE-2022-22971 "Spring Framework DoS with STOMP over WebSocket"
  Denial of service (DoS) attack by authenticated users in Spring applications with a STOMP over WebSocket endpoint. Severity: Medium

…

Hi, Spring fans! I'm writing this from - I can't believe I get to say this - abroad! I'm in London, UK! Now, this is not particularly noteworthy for those millions who already live here. But I don't live here. I'm a visitor! I live in San Francisco. I had to fly here! On a plane! With other people! ACROSS THE OCEAN. This is my first international flight since March of 2020, and I couldn't be more excited to be here for Devoxx UK and also just to catch up with old friends I haven't seen in nearly three years. If you know me, and how I used to travel, you'll appreciate how odd it is for me to be…

Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to fellow Java Champion and Java ecosystem luminary Chandra Guntur (@cguntur) about Java, Spring, and the Spring Katas, among other things.

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you doin'?

I'm excited! This week I'm speaking at the ArabJUG, and I'll be speaking at Microsoft's huuuge JDConf event. Both of these are virtual. Then, next Monday, I'm on a plane bound for London, UK, where I'll be speaking at Devoxx UK 2022. Then, not even two weeks later, I'll be speaking at Spring IO, in Barcelona, Spain! Then a week later, I'll be speaking at JNation, in Lisbon, Portugal. To say that I am excited would be an understatement, my friends.

And all of that ignores the great stuff since last week…