You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/04/23 08:51:00 UTC
[jira] [Commented] (NIFI-11478) Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3
[ https://issues.apache.org/jira/browse/NIFI-11478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17715411#comment-17715411 ]
ASF subversion and git services commented on NIFI-11478:
--------------------------------------------------------
Commit f9e7ba0141689d9602392b1743781b1d51a85bde in nifi's branch refs/heads/support/nifi-1.x from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=f9e7ba0141 ]
NIFI-11478 Upgraded Spring Framework from 5.3.26 to 5.3.27
- Upgraded Spring Security from 5.8.2 to 5.8.3
- Upgraded Spring Boot from 2.7.10 to 2.7.11 for Registry
Signed-off-by: Pierre Villard <pi...@gmail.com>
This closes #7190.
> Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3
> ---------------------------------------------------------------
>
> Key: NIFI-11478
> URL: https://issues.apache.org/jira/browse/NIFI-11478
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, MiNiFi, NiFi Registry, Security
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: dependency-upgrade
> Fix For: 1.latest, 2.latest
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Spring Framework 5.3.26 and earlier contain a Spring Expression Language vulnerability described in [CVE-2023-20863|https://spring.io/security/cve-2023-20863].
> Spring Security 5.8.2 and earlier contain a Security Context logout vulnerability described in [CVE-2023-20862|https://spring.io/security/cve-2023-20862].
> Spring Framework [5.3.27|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.27] resolves CVE-2023-20863 and Spring Security [5.8.3|https://github.com/spring-projects/spring-security/releases/tag/5.8.3] resolves CVE-2023-20862.
> Spring Boot 2.7.11 incorporates these upgrades and should be updated for Registry.
> Framework components do not use Spring Expression Language and do not use HTTP sessions for persisting Security Context information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)