You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/04/23 08:51:00 UTC

[jira] [Commented] (NIFI-11478) Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3

    [ https://issues.apache.org/jira/browse/NIFI-11478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17715411#comment-17715411 ] 

ASF subversion and git services commented on NIFI-11478:
--------------------------------------------------------

Commit f9e7ba0141689d9602392b1743781b1d51a85bde in nifi's branch refs/heads/support/nifi-1.x from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=f9e7ba0141 ]

NIFI-11478 Upgraded Spring Framework from 5.3.26 to 5.3.27

- Upgraded Spring Security from 5.8.2 to 5.8.3
- Upgraded Spring Boot from 2.7.10 to 2.7.11 for Registry

Signed-off-by: Pierre Villard <pi...@gmail.com>

This closes #7190.


> Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3
> ---------------------------------------------------------------
>
>                 Key: NIFI-11478
>                 URL: https://issues.apache.org/jira/browse/NIFI-11478
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, MiNiFi, NiFi Registry, Security
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>              Labels: dependency-upgrade
>             Fix For: 1.latest, 2.latest
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Spring Framework 5.3.26 and earlier contain a Spring Expression Language vulnerability described in [CVE-2023-20863|https://spring.io/security/cve-2023-20863].
> Spring Security 5.8.2 and earlier contain a Security Context logout vulnerability described in [CVE-2023-20862|https://spring.io/security/cve-2023-20862].
> Spring Framework [5.3.27|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.27] resolves CVE-2023-20863 and Spring Security [5.8.3|https://github.com/spring-projects/spring-security/releases/tag/5.8.3] resolves CVE-2023-20862.
> Spring Boot 2.7.11 incorporates these upgrades and should be updated for Registry.
> Framework components do not use Spring Expression Language and do not use HTTP sessions for persisting Security Context information.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)