We have released Spring Security OAuth 2.5.2 to address the following CVE report.
This vulnerability exposes OAuth 2.0 Client applications only.
Please review the information in the CVE report and upgrade immediately.
On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Boot 2.5.13 has been released and is now available from Maven Central.
This release includes 31 bug fixes, documentation improvements, and dependency upgrades. Thanks to all those who have contributed with issue reports and pull requests.
If you’re interested in helping out, check out the “ideal for contribution” tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the spring-boot tag or chat with the community on Gitter.
On behalf of the team, I’m pleased to announce the release of Spring Session 2021.2.0-RC1, 2021.1.3 and 2021.0.6.
The 2021.2.0 release train is entering the RC phase. If you haven’t done so yet, please give it a try!
The 2021.1.3 and 2021.0.6 releases deliver bug fixes and dependency upgrades.
For your convenience, Spring Boot will pick up these artifacts with its upcoming releases.
The following modules were updated as part of 2021.2.0-RC1:
2.7.0-RC1 - release notes2.7.0-RC1 - release notes2.7.0-RC1 - release notes2.7.0-RC1 - release notes2.7.0-RC1 - release notes2.7.0-RC1On behalf of everyone involved, I’m pleased to announce the availability of the first and final release candidate of Spring for GraphQL 1.0. We’re finally going to release a 1.0 version on May 17, the reference version for Spring Boot 2.7.0. We’ve shipped a few noteworthy changes and one important new feature in this release.
Note: The Spring for GraphqL Boot starter is up-to-date with the changes discussed in this post and Spring Boot 2.7.0-RC1 is scheduled to be released on Thursday this week.
Hi, Spring fans! Welcome to another installment of This Week in Spring! It’s been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs I’ll have are the amazing memories and not COVID. I loved to see so many smiling faces. Thanks so much for having me, Devnexus, and for running an amazing show. It was a privilege to return.
And now, without further ado, let’s dive right into the roundup.
The 2021.2.0 release train is entering the RC phase. If you haven’t done so yet, please give it a try! The 2021.1.4 and 2021.0.11 service releases ship with mostly bug fixes and dependency upgrades. For your convenience those will be picked up by Spring Boot in the upcoming days.
To round things off, here are the links to the individual modules, changelogs, and documentation:
2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog2.4 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog3.4 RC1 - Artifacts - Javadoc - Documentation - Changelog3.4 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog6.3 RC1 - Artifacts - Javadoc - Documentation - Changelog1.5 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog3.7 RC1 - Artifacts - Javadoc - Documentation - Changelog2.7 RC1 - Artifacts - Javadoc - Documentation - Changelog4.4 RC1 - Artifacts - Javadoc - Documentation - Changelog4.4 RC1 - Artifacts - Javadoc - Documentation - ChangelogOn behalf of the community, I’m pleased to announce the release of Spring Security 5.7.0-RC1!
In addition to dependency upgrades, bug fixes, and minor enhancements, the release candidate contains a few noteworthy changes:
Introduced SecurityContextHolderFilter - Ability to require explicit saving of the SecurityContext
Added DSL support for Cross Origin Policies headers
Allow configuring PKCE for confidential clients
Added SAML 2.0 Login & Single Logout XML support
This release candidate is a good opportunity to give feedback before the actual GA release in mid-May. We look forward to hearing from you.
Hi, Spring fans! In this installment, Josh Long (@starbuxman) talk about his first in-person conference since the pandemic descended upon us -the fabulous Devnexus 2022 show - and talks to colleague, teacher, friend, and Kubernetes legend Tiffany Jernigan (@tiffanyfayj).
While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.
