Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to Java Champion, legend, and prolific opensource contributor Andres Almiray (@aalmiray)

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.0.0-RC3 is available now.

Spring Framework 6.0.0-RC3 includes 22 fixes and improvements. This is the last release candidate expected before the general availability of Spring Framework 6.0.0 currently planned mid-November.

Project Page | GitHub | Issues | Documentation

We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report:

• CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode

Please review the information in the CVE report and upgrade immediately.

Eclipse: STS upgrade to 4.16.1 VSCode: Spring Boot Tools upgrade to 1.40.0 VSCode: Concourse CI Pipeline Editor upgrade to 1.40.0 VSCode: Bosh Editor upgrade to 1.40.0 VSCode: Cloudfoundry Manifest YML Support upgrade to 1.40.0

See Spring Tools page to find the latest releases

I am pleased to announce the availability of the second milestone of Spring Modulith 0.1. The release contains a few minor bug fixes and a couple of community contributions to the reference documentation. Find a complete overview about the changes included in the release here. For a general introduction into the project, please consult the announcing blog post.

The current plan is to ship an 0.1 RC1 after Spring Boot’s second RC, followed by a GA version on the heels of Boot’s GA.

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 0.4.0-RC1.

You can download it from repo.spring.io milestone repository by using the module coordinates:

implementation 'org.springframework.security:spring-security-oauth2-authorization-server:0.4.0-RC1'

See the release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.

We would love to gather your…

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 1.0.0-RC1.

You can download it from repo.spring.io milestone repository by using the module coordinates:

implementation 'org.springframework.security:spring-security-oauth2-authorization-server:1.0.0-RC1'

See the release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.

We would love to gather your…

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible.

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.

Impact

Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.7.5 and 5.6.9 are available now. In both cases the releases are composed of bug fixes.

To learn more, please visit the 5.7.5 and 5.6.9 release summaries.

Project Site | Reference | Help