Foundations & Security Essentials

Spring Framework

5.3.44 (NES) - Nov 15, 2024

Bug Fixes

• Fixes to core and web packages to address DoS issue.
  • This patches DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
  • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.44 in the following artifacts:
    • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.44
    • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.44

Notes

• Full Version: 5.3.39-spring-framework-5.3.44

5.3.43 (NES) - October 30, 2024

Bug Fixes

• Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
  • This patches a variation of the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38819).
  • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.43 in the following artifacts:
    • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.43
    • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.43

Notes

• Full Version: 5.3.39-spring-framework-5.3.43

5.3.42 (NES) - October 24, 2024

Bug Fixes

• Fixed an issue with DataBinder's disallowedFields related to case insensitivity.
  • This update addresses the Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
  • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.42 in the following artifacts:
    • com.herodevs.nes.springframework:spring-context:5.3.39-spring-framework-5.3.42
    • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.42
    • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.42
    • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.42
    • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.42
    • com.herodevs.nes.springframework:spring-websocket:5.3.39-spring-framework-5.3.42

Notes

• Full Version: 5.3.39-spring-framework-5.3.42

5.3.41 (NES) - September 19, 2024

Bug Fixes

• Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
  • This patches the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38816).
  • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.41 in the following artifacts:
    • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.41
    • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.41

Notes

• Full Version: 5.3.39-spring-framework-5.3.41

5.3.40 (NES) - August 26, 2024

Notes

• This release originates from the open-source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework 5.3.39.
• Full Version: 5.3.39-spring-framework-5.3.40

4.3.31 (NES) - November 18, 2024

Notes

• This is the initial release of Spring Framework 4.3.30 from the open-source Spring Framework repository forked by HeroDevs.
• This release contains no functional changes from Spring Framework 4.3.30.
• Full Version: 4.3.30-spring-framework-4.3.31

Spring Security

5.8.17 (NES) - November 19, 2024

Bug Fixes

• This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
  • com.herodevs.nes.springframework.security:spring-security-cas:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-config:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-core:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-data:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-ldap:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-taglibs:5.8.16-spring-security-5.8.17
  • com.herodevs.nes.springframework.security:spring-security-web:5.8.16-spring-security-5.8.17

Notes

• Full Version: 5.8.16-spring-security-5.8.17

5.8.16 (NES) - October 29, 2024

Bug Fixes

• This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
  • com.herodevs.nes.springframework.security:spring-security-web:5.8.15-spring-security-5.8.16

Notes

• Full Version: 5.8.15-spring-security-5.8.16

5.8.15 (NES) - September 20, 2024

Notes

• This release originates from the open-source Spring Security repository forked by HeroDevs starting with version 5.8.14.
• Includes other modifications implemented by HeroDevs to ensure successful library builds.
• Full Version: 5.8.14-spring-security-5.8.15

5.7.15 (NES) - November 19, 2024

Bug Fixes

• This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
  • com.herodevs.nes.springframework.security:spring-security-cas:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-config:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-core:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-data:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-ldap:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-taglibs:5.7.14-spring-security-5.7.15
  • com.herodevs.nes.springframework.security:spring-security-web:5.7.14-spring-security-5.7.15

Notes

• Full Version: 5.7.14-spring-security-5.7.15

5.7.14 (NES) - October 29, 2024

Bug Fixes

• This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
  • com.herodevs.nes.springframework.security:spring-security-web:5.7.13-spring-security-5.7.14

Notes

• Full Version: 5.7.13-spring-security-5.7.14

5.7.13 (NES) - August 26, 2024

Notes

• This release originates from the open-source Spring Security repository forked by HeroDevs starting with version 5.7.12.
• Includes other modifications implemented by HeroDevs to ensure successful library builds.
• Spring Security 5.7.12 includes Spring Framework 5.3.29. This release updates Spring Framework to version NES version 5.3.40 which is equivalent to the original Spring Framework 5.3.39. For reference, here is a list of all included updates from Spring Framework included here:
  • v5.3.30
  • v5.3.31
  • v5.3.32
  • v5.3.33
  • v5.3.34
  • v5.3.35
  • v5.3.36
  • v5.3.37
  • v5.3.38
  • v5.3.39
• Full Version: 5.7.12-spring-security-5.7.13

4.2.21 (NES) - November 7, 2024

Notes

• This is the initial release of Spring Security 4.2.20 from the open-source Spring Security repository forked by HeroDevs.
• This release contains no functional changes from Spring Security 4.2.20.
• Full Version: 4.2.20-spring-security-4.2.21

Spring Boot

2.7.20 (NES) - September 25, 2024

Bug Fixes

• Addresses issue in Spring Boot Jar loader to detect signature mismatch of nested jar files.
  • This patches the signature forgery vulnerability in Spring Boot's jar loader (CVE-2024-38807).
  • This fix is included in NES for Spring Boot version 2.7.18-spring-boot-2.7.20 in the following artifacts:
    • com.herodevs.nes.springframework.boot:spring-boot-loader:2.7.18-spring-boot-2.7.20

Notes

• Full Version: 2.7.18-spring-boot-2.7.20

2.7.19 (NES) - August 26, 2024

Notes

• This release originates from the open-source Spring Boot repository forked by HeroDevs. This release updates Spring Framework to version NES version 5.3.40 and Spring Security NES version 5.7.13.
• The original Spring Boot 2.7.18 version included the following versions:
  • Spring Framework 5.3.31
  • Spring Security 5.7.11
• With the upgrade to our NES versions of Spring Framework 5.3.40 and Spring Security 5.7.13, these include the following changes from both Spring Framework and Spring Security projects. The release notes for those releases are listed below for reference:
  • Spring Framework:
    • v5.3.31
    • v5.3.32
    • v5.3.33
    • v5.3.34
    • v5.3.35
    • v5.3.36
    • v5.3.37
    • v5.3.38
    • v5.3.39
  • Spring Security:
    • 5.7.12
• Includes other modifications implemented by HeroDevs to ensure successful library builds.
• This release contains no functional changes from Spring Boot 2.7.18.
• Full Version: 2.7.18-spring-boot-2.7.19