The Spring team will be rolling out a simplified contribution process that replaces the requirement to sign a Contributor License Agreement (CLA) with a Developer Certificate of Origin (DCO). The process will start this week with Spring Framework, Spring Security, & Spring Boot and then roll out to the entire Spring portfolio.

History

Spring has long used a permissive Contributor License Agreement (CLA) in order to provide legal protections to the Spring project, users, and the Spring team. Long time contributors may remember that signing the CLA originally involved emailing a signed PDF of…

On behalf of the Spring Security team and everyone who contributed to this release, I am delighted to announce the general availability of Spring Security Kerberos 2.1.0!

This release brings in bug fixes, version updates, and lots of compatability fixes.

Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that the Spring Security 5.8.7, 6.0.7, 6.1.4, and 6.2.0-M1 are available now which fix CVE-2023-34042.

Please refer to the releases page for more detail on what is included in each release.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.1.1, 6.0.4, 5.8.4, 5.7.9, and 5.6.11 are available now. The releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements.

To learn more, please visit the 6.1.1, 6.0.4, 5.8.4, 5.7.9, and 5.6.11 release summaries.

Project Site | Reference | Help

Spring Session 3.1.0-RC1 has been released. The biggest news from this release is that Spring Session Geode was removed which means all of the Spring Modules now belong to the same lifecycle. This means that the Spring Session BOM no longer uses CalVer and instead uses the same version as the remaining Spring Session modules. For example, in this release the version of spring-session-bom is 3.0.0-RC1.

You can view the release notes for additional details around this release.

Project Site | Reference | Help

On behalf of the team, I’m pleased to announce the release of Spring Session 2022.0.0-M3. These releases deliver, enhancements, bug fixes, and dependency upgrades. For your convenience, Spring Boot will pick up these artifacts with its upcoming releases.

The following modules were updated as part of 2022.0.0-M3:

• Spring Session Core 3.0.0-M4 - release notes
• Spring Session Data Redis 3.0.0-M4 - release notes
• Spring Session JDBC 3.0.0-M4 - release notes
• Spring Session Hazelcast 3.0.0-M4 - release notes

On behalf of the team, I’m please to announce the release of Spring Session 2021.2. This release upgrades to Spring Data 2021.2 and provides dependency upgrades, minor enhancements, bug fixes, and strategic changes to prepare Spring Session and it’s users for the next generation of Spring Session built on Spring Framework 6.

Project Site | Reference | Help

UPDATES

• [05-17] Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction.

CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher

Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher. Please update as soon as possible.

Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible.

UPDATES

• [05-17] Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction.

Spring Security 5.7.0 (release notes), 5.6.4 (release notes), 5.5.7 (release notes) have been released which fix

• CVE-2022-22978

• CVE-2022-22976.

Please update as soon as possible.

Project Site | Reference | Help