Spring Team
Rossen Stoyanchev

Rossen Stoyanchev

Spring Framework committer

Jersey City, NJ

Blog Posts by Rossen Stoyanchev

Spring Framework 5.2.3, 5.1.13, 5.0.16, and 4.3.26 releases

After unfavorable weather on Maven central caused service disruption much of today, skies have finally cleared up, and I am pleased to announce a full round of Spring Framework releases: the 5.2.3 release on the current production branch, along with maintenance branch releases 5.1.13, 5.0.16, and 4.3.26 with selected backports.

Please note that the 5.0.x and 4.3.x lines have reached the end of active maintenance, with just one final wrap-up release expected on each branch before the official EOL date at the end of this year. The 5.1.x line remains active but will be updated less frequently (~ once a quarter) than the 5.2.x line (~ every six weeks) throughout 2020. For more details, please check the 2020 Roadmap blog post. TL;DR: Please upgrade to 5.2+ at your earliest convenience!

Read more...

Spring Framework's Migration from Jira to GitHub Issues

The Spring Framework has migrated its entire history of issues from Jira to GitHub. The goal of this blog post is to provide you with context and details about this move.

Migration Details


The entire 15+ year history of every Spring Framework issue, and every comment, has been imported into GitHub. There is a lot to consider in such a move, so let’s take a tour and go over some details.

Links

If you have a link to an existing issue, e.g. https://jira.spring.io/browse/SPR-16751, you’ll be redirected to the corresponding GitHub issue. If you actually mean to go to the Jira issue, append the query parameter redirect=false. On the GitHub side, the imported issue has a link back to its Jira issue origin.

Read more...

Spring Project Vulnerability Reports Published

The following CVEs have been published today:

  1. CVE-2018-15756 for Spring Framework 5.1.1, 5.0.10, and 4.3.20.
  2. CVE-2018-15758 for Spring Security OAuth 2.3.4, 2.2.3, 2.1.3, and 2.0.16.

Please, review the information, including affected project versions, in the CVE reports and upgrade immediately.

Spring Boot Users:
Spring Boot 2.0.6 and 1.5.17, released earlier today, contain the fixes for the above vulnerabilities.

Read more...

Spring Project Vulnerability Reports Published

The following CVEs have been published today:

Please, review the information in the CVE reports and upgrade immediately.

Spring Boot Users: Spring Boot 2.0.2 and 1.5.13, released earlier today, contain the fixes for the above vulnerabilities.

Read more...

Multiple CVE reports published for the Spring Framework

UPDATE 2018-04-09: see follow-up announcement for 4.3.x branch.

Spring Framework 5.0.5 and 4.3.15 (superseded by 4.3.16 with CVE-2018-1275), released earlier this week, include fixes for the following vulnerabilities:

Spring Boot 2.0.1 and 1.5.11 (superseded by 1.5.12 with CVE-2018-1275), that match the above Spring Framework versions, were released today, and are now also available for use.

Please, review the information in the CVE reports and upgrade immediately.

Read more...

Spring Web Flow 2.5 released

Spring Web Flow 2.5 is now GA and available for use. This release provides an upgrade path for applications using Web Flow to Spring Framework 5 with Java 8, Servlet 3.1, Hibernate 5, Tiles 3, and JSF 2.2 as minimum requirements.

Read more...

Spring Web Flow 2.5 RC1 is available

The first and only release candidate planned for Spring Web Flow 2.5 is now available from the Spring Milestones repository. The samples repository has been updated to use it.

This release provides an upgrade path to Spring Framework 5 along with Java 8, Servlet 3.1, Hibernate 5, Tiles 3, and JSF 2.2 as minimum requirements.

In this release “spring-js” has been merged with “spring-webflow” so there is no longer a separate “spring-js” module. As a result some configuration classes have changed packages. The “spring-js-resources” module is still available but as an optional module that must be included explicitly if needed.

Read more...

Spring Web Flow 2.4.6 released

Spring Web Flow 2.4.6 was released earlier today containing a security fix. Applications that use explicit data bindings through the <binder> element in flow definitions are not affected. Those that do rely on default bindings should upgrade as soon as possible.

Read more...