You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
Hi Team, it is found that spring-web version 5.3.25 has a security vulnerability logged- CVE-2016-1000027 and the subsequent releases are version- 6x for which minimum JDK Requirement is 17x. Is there any plan to release the 5.3.26 or backport this security fix in the older streamline(which supports JAVA 8) as upgrading java from 8 to java 17 may break many functionalities? Please review it once.
Thank you.
The reason will be displayed to describe this comment to others. Learn more.
@harishdalm There is no plan to release a new version changing this in 5.3.x.
This security issue is about deserializing Java classes from untrusted sources, which is not directly tied to Spring Framework.
See #24434 for more details.
You can check that your application is not using HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter; if it is, please ensure that it's not accepting untrusted input.
2aeddb4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Team, it is found that spring-web version 5.3.25 has a security vulnerability logged- CVE-2016-1000027 and the subsequent releases are version- 6x for which minimum JDK Requirement is 17x. Is there any plan to release the 5.3.26 or backport this security fix in the older streamline(which supports JAVA 8) as upgrading java from 8 to java 17 may break many functionalities? Please review it once.
Thank you.
2aeddb4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@harishdalm There is no plan to release a new version changing this in 5.3.x.
This security issue is about deserializing Java classes from untrusted sources, which is not directly tied to Spring Framework.
See #24434 for more details.
You can check that your application is not using
HTTPInvokerServiceExporterorRemoteInvocationSerializingExporter; if it is, please ensure that it's not accepting untrusted input.2aeddb4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, Thanks and appreciate your quick response !