Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Spring Boot 2.7.17 #5522

Closed
onobc opened this issue Oct 21, 2023 · 2 comments
Closed

Update to Spring Boot 2.7.17 #5522

onobc opened this issue Oct 21, 2023 · 2 comments
Assignees
@corneil
Labels
area/dependencies Belongs project dependencies
Milestone
2.11.2

Comments

@onobc
Copy link
Contributor

onobc commented Oct 21, 2023

Let's update to Spring Boot 2.7.17 as well as any transitive dependency versions that we lock onto.

  • flyway-core/8.5.13
  • spring-security 5.7.11
  • spring-framework 5.3.30
  • more (I am sure there are...)

Lets also make sure we are on the latest Spring Cloud patches at this time.
@onobc onobc added the area/dependencies Belongs project dependencies label Oct 21, 2023
@onobc onobc added this to the 2.11.2 milestone Oct 21, 2023
@onobc onobc mentioned this issue Oct 22, 2023
Closed
@corneil corneil self-assigned this Oct 23, 2023
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue Oct 30, 2023
@onobc
Update Flyway to 8.5.13
eade314 
* This was missed on the Spring Boot 2.7.17 update.
* Also updates snippet in README.md so users know how to build.

See spring-cloud#5522
@onobc onobc mentioned this issue Oct 30, 2023
Merged
onobc added a commit that referenced this issue Nov 2, 2023
@onobc
Update Flyway to 8.5.13 (#5532)
b0b2941 
* This was missed on the Spring Boot 2.7.17 update.
* Also updates snippet in README.md so users know how to build.

See #5522
@sandeepbal1989
Copy link

@onobc May be Snakeyaml can also be upgraded to use 2.0 with this release?
Spring-boot-2.7.17 has already started giving compatibility towards using the safeconstructor for snakeyaml-2.0

Usage e.g.
org.springframework.boot.json.YamlJsonParser private final Yaml yaml = new Yaml(new TypeLimitedConstructor());

@onobc
Copy link
Contributor Author

onobc commented Nov 8, 2023

Hi @sandeepbal1989 ,

We have already mitigated against the vulnerability in 1.x. Also, Spring Boot is still shipping w/ 1.30 (Dataflow is using the latest 1.33). but have no plans to bump up to 2.x When/if Boot updates to 2.x we will at that time.

If you have someone nagging you because of the CVE please just point them to our advisory https://github.com/spring-cloud/spring-cloud-dataflow/security/advisories/GHSA-578p-phm8-hcj9.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
area/dependencies Belongs project dependencies
Projects
None yet
Milestone
2.11.2
Development

No branches or pull requests
3 participants
@corneil @sandeepbal1989 @onobc