The following CVEs have been published today:

• CVE-2018-1257 for Spring Framework 5.0.6, 4.3.17.
• CVE-2018-1258 for Spring Security 5.0.5.
• CVE-2018-1259 for Spring Data Ingalls SR12, Kay SR7.
• CVE-2018-1260 for Spring Security OAuth 2.3.3, 2.2.2, 2.1.2, 2.0.15.
• CVE-2018-1261 for Spring Integration “Zip” extension 1.0.1.

Please, review the information in the CVE reports and upgrade immediately.

Spring Boot Users: Spring Boot 2.0.2 and 1.5.13, released earlier today, contain the fixes for the above vulnerabilities.

CVE-2018-1270 was reported last week, and unfortunately, was not fully addressed in the 4.3.x branch of the Spring Framework.

A follow-up 4.3.16 version was created and released to Maven Central, and a new CVE-2018-1275 report was published. Please upgrade to 4.3.16 immediately!

Spring Boot 1.5.x Instructions: if impacted by this issue, please upgrade to Spring Boot 1.5.12.

UPDATE 2018-04-09: see follow-up announcement for 4.3.x branch.

Spring Framework 5.0.5 and 4.3.15 (superseded by 4.3.16 with CVE-2018-1275), released earlier this week, include fixes for the following vulnerabilities:

• CVE-2018-1270 –> CVE-2018-1275
• CVE-2018-1271
• CVE-2018-1272

Spring Boot 2.0.1 and 1.5.11 (superseded by 1.5.12 with CVE-2018-1275), that match the above Spring Framework versions, were released today, and are now also available for use.

Please, review the information in the CVE reports and upgrade immediately.

Spring Web Flow 2.5 is now GA and available for use. This release provides an upgrade path for applications using Web Flow to Spring Framework 5 with Java 8, Servlet 3.1, Hibernate 5, Tiles 3, and JSF 2.2 as minimum requirements.

The first and only release candidate planned for Spring Web Flow 2.5 is now available from the Spring Milestones repository. The samples repository has been updated to use it.

This release provides an upgrade path to Spring Framework 5 along with Java 8, Servlet 3.1, Hibernate 5, Tiles 3, and JSF 2.2 as minimum requirements.

In this release “spring-js” has been merged with “spring-webflow” so there is no longer a separate “spring-js” module. As a result some configuration classes have changed packages. The “spring-js-resources” module is still available but as an optional module that must be included explicitly if needed.

Spring Web Flow 2.4.6 was released earlier today containing a security fix. Applications that use explicit data bindings through the <binder> element in flow definitions are not affected. Those that do rely on default bindings should upgrade as soon as possible.

A minor maintenance release version 2.4.5 for Spring Web Flow is now available for use.

The release includes an important security fix for vulnerability report CVE-2017-4971. Please review the report details and upgrade.

An update on the 5th and last milestone of Spring Framework 5.0…

Spring MVC and Spring WebFlux

The name Spring MVC is both well known and widely used but it may surprise a few there is no actual project or independent distribution with that name. Rather it is a module within the Spring Framework distribution called spring-webmvc. Here is another trivia question. Did you know that the top-level package in the module does not feature “mvc”? Rather it is called org.springframework.web.servlet. Practically speaking those are details that we don’t have to remember. What matters is that we have a short and memorable name to refer to Spring’s Servlet stack based web framework.

As Juergen mentioned in his Spring Framework 5 M1 release announcement our Spring Reactive initiative has been merged into Spring Framework proper preserving all contributions and its full history over more than a year.

What is it?

In a nutshell reactive programming is about non-blocking, event-driven applications that scale with a small number of threads with backpressure as a key ingredient that aims to ensure producers do not overwhelm consumers. The Reactive Streams specification (also adopted in Java 9) enables the ability to communicate demand across layers and libraries from different providers. For example an HTTP connection writing to a client can communicate its availability to write all the way upstream to a data repository fetching data from a database so that given a slow HTTP client the repository can slow down too or even pause. For a more extensive introduction to reactive programming check Dave Syer’s multipart series “Notes on Reactive Programming”.

A new Spring Web Flow 2.4.4 maintenance release is now available for download or use from Maven and Gradle builds. This release extends compatibility to Hibernate 5.2 and also includes several mainly JSF related fixes.