Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2022-22978 by upgrading spring-security to 5.6.4 #29304

Merged
merged 5 commits into from
Jun 8, 2022
Merged

Fix CVE-2022-22978 by upgrading spring-security to 5.6.4 #29304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8c1d834
Fix CVE-2022-22978 by upgrading spring-security to 5.6.4.
rujche Jun 8, 2022
de12962
Update CHANGELOG.md.
rujche Jun 8, 2022
2338b84
Merge branch 'main' into Fix_CVE-2022-22978_by_upgrading_spring-secur…
rujche Jun 8, 2022
aa13db7
Change the order of "Breaking Changes" and "Dependency Updates" in CH…
rujche Jun 8, 2022
ee3c304
Use "address" instead of "fix" in CHANGELOG.md.
rujche Jun 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions eng/versioning/external_dependencies.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,13 +142,13 @@ org.springframework.data:spring-data-redis;2.6.4
org.springframework.experimental:spring-aot;0.11.4
org.springframework.integration:spring-integration-core;5.5.11
org.springframework.kafka:spring-kafka;2.8.5
org.springframework.security:spring-security-config;5.6.3
org.springframework.security:spring-security-core;5.6.3
org.springframework.security:spring-security-oauth2-client;5.6.3
org.springframework.security:spring-security-oauth2-resource-server;5.6.3
org.springframework.security:spring-security-oauth2-core;5.6.3
org.springframework.security:spring-security-oauth2-jose;5.6.3
org.springframework.security:spring-security-web;5.6.3
org.springframework.security:spring-security-config;5.6.4
org.springframework.security:spring-security-core;5.6.4
org.springframework.security:spring-security-oauth2-client;5.6.4
org.springframework.security:spring-security-oauth2-resource-server;5.6.4
org.springframework.security:spring-security-oauth2-core;5.6.4
org.springframework.security:spring-security-oauth2-jose;5.6.4
org.springframework.security:spring-security-web;5.6.4
org.springframework:spring-beans;5.3.20
org.springframework:spring-context-support;5.3.20
org.springframework:spring-context;5.3.20
Expand Down
17 changes: 16 additions & 1 deletion sdk/spring/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,28 @@ This section includes changes in `spring-cloud-azure-autoconfigure` module.
+ Add `AzureStorageConfiguration` to make Azure storage service share common property configuration [#29094](https://github.com/Azure/azure-sdk-for-java/pull/29094).
+ Add properties `spring.cloud.azure.storage.endpoint`, `spring.cloud.azure.storage.account-key`, `spring.cloud.azure.storage.sas-token`, `spring.cloud.azure.storage.connection-string`, `spring.cloud.azure.storage.account-name`.

#### Dependency Updates
- Upgrade spring-security to 5.6.4 to address [CVE-2022-22978](https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher) [#29304](https://github.com/Azure/azure-sdk-for-java/pull/29304).

### Spring Messaging Azure Service Bus
This section includes changes in the `spring-messaging-azure-servicebus` module.

#### Bugs Fixed
- Fix the `ServiceBusContainerProperties` constructor with overriding the default field values [#29095](https://github.com/Azure/azure-sdk-for-java/pull/29095).
- Restrict the concurrency value to be int format in `ServiceBusListener` [#29095](https://github.com/Azure/azure-sdk-for-java/pull/29095).


### Spring Cloud Azure Starter Active Directory
This section includes changes in `spring-cloud-azure-starter-active-directory` module.

#### Dependency Updates
- Upgrade spring-security to 5.6.4 to address [CVE-2022-22978](https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher) [#29304](https://github.com/Azure/azure-sdk-for-java/pull/29304).

### Spring Cloud Azure Starter Active Directory B2C
This section includes changes in `spring-cloud-azure-starter-active-directory-b2c` module.

#### Dependency Updates
- Upgrade spring-security to 5.6.4 to address [CVE-2022-22978](https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher) [#29304](https://github.com/Azure/azure-sdk-for-java/pull/29304).

## 4.2.0 (2022-05-26)

- This release is compatible with Spring Boot 2.5.0-2.5.14, 2.6.0-2.6.8, 2.7.0. (Note: 2.5.x (x>14), 2.6.y (y>8) and 2.7.z (z>0) should be supported, but they aren't tested with this release.)
Expand Down
16 changes: 8 additions & 8 deletions sdk/spring/spring-cloud-azure-autoconfigure/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,25 +223,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
<optional>true</optional>
</dependency>

Expand Down Expand Up @@ -340,10 +340,10 @@
<include>org.springframework.data:spring-data-redis:[2.6.4]</include> <!-- {x-include-update;org.springframework.data:spring-data-redis;external_dependency} -->
<include>org.springframework.kafka:spring-kafka:[2.8.5]</include> <!-- {x-include-update;org.springframework.kafka:spring-kafka;external_dependency} -->
<include>org.springframework:spring-context-support:[5.3.20]</include> <!-- {x-include-update;org.springframework:spring-context-support;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-client:[5.6.3]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-resource-server:[5.6.3]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-jose:[5.6.3]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
<include>org.springframework.security:spring-security-config:[5.6.3]</include> <!-- {x-include-update;org.springframework.security:spring-security-config;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-client:[5.6.4]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-resource-server:[5.6.4]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
<include>org.springframework.security:spring-security-oauth2-jose:[5.6.4]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
<include>org.springframework.security:spring-security-config:[5.6.4]</include> <!-- {x-include-update;org.springframework.security:spring-security-config;external_dependency} -->
<include>org.springframework:spring-jms:[5.3.20]</include> <!-- {x-include-update;org.springframework:spring-jms;external_dependency} -->
</includes>
</bannedDependencies>
Expand Down
8 changes: 4 additions & 4 deletions sdk/spring/spring-cloud-azure-starter-active-directory-b2c/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,22 +92,22 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
</dependency>
</dependencies>

Expand Down
4 changes: 2 additions & 2 deletions sdk/spring/spring-cloud-azure-starter-active-directory/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,12 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-web;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-web;external_dependency} -->
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.6.3</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
<version>5.6.4</version> <!-- {x-version-update;org.springframework.security:spring-security-config;external_dependency} -->
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
Expand Down