The spring published that:
I used spring 5.3.16, spring boot 2.2.10.RELEASE, spring cloud 2.2.10.RELEASE to use spring-cloud-netflix-zuul, so, can I just upgrade the spring version to 5.3.18, but don't upgrade other framwork?
Spring Boot 2.2.x is EOL and may contain other security fixes that affect you. Spring Boot 2.2.10.RELEASE use Spring Framework 5.2.9.RELEASE.
If you are using Spring Framework 5.3.x, this is not really a supported scenario irrespective of this CVE. You should be using Spring Framework 5.2.x. For that, we have released Spring Framework 5.2.20.
Of course, to be really safe you should upgrade to a supported version.
Related
There is a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-22047) discovered in spring-data-rest-webmvc which is only fixed in versions 3.4.14 and 3.5.6. Spring Boot 2.3.12 uses the version 3.3.9. Migrating to spring boot 2.4.x or above is not an option for us.
We would like to use spring-data-rest-webmvc:3.4.14, but we are not sure if it's compatible with spring boot 2.3.x.
Can we use them together?
Spring Data Rest version 3.4 and up use Spring Framework version 5.3.x.
Spring Boot 2.3 is build with Spring Framework 5.2.x.
Will it work, probably, but there are no garanties that it will keep working or work at all. Most like it will fail with some NoSuchMethodError or ClassNotFOundExceptions or other exotic expetions one gets when mixing modules/jars from different versions of a framework.
Currently, I am using
<springFramework.version>3.2.3.RELEASE</springFramework.version>
<springFrameworkSecurity.version>3.1.4.RELEASE</springFrameworkSecurity.version>
I want to move to
<springFramework.version>5.3.4.RELEASE</springFramework.version>
<springFrameworkSecurity.version> ? </springFrameworkSecurity.version>
According to the documentation for the latest Spring Security:
Since Spring Security makes breaking changes only in major releases, it is safe to use a newer version of Spring Security with Spring Boot.
The Spring Framework version you're moving to is 5.3.4, so I would assume that any 5.X.X version of Spring Security should work.
If that works, let us know by marking the answer as solved! If not, leave a comment.
My project is built with Spring boot 1.5.10.release. We want to migrate to Apache Kafka® 2.3.0 from Apache Kafka 1.0.x.
We are currently using Spring-kafka 1.3.9.release and want to migrate to spring-kafka-2.3.0. Can we do this without changing the Spring boot version of 1.5.10.release?
I went through the Compatibility matrix but I don't see any relevant answer to my question
https://spring.io/projects/spring-kafka
No, you can't do that. Spring Kafka 2.x, as well Spring Boot 2.x, is based on Spring Framework 5.x and Java 8. You can't mix so critical versions in Spring Boot 1.5.x.
It is really better to rely on the Spring Boot dependencies management. That way you can be sure that all the artifacts brought by Spring Boot are tested together.
I have tried to figure out which version of spring-data-jdbc to use with Spring Boot 1.5.20.RELEASE (= Spring Framework 4.3.23.RELEASE) - but I can't find that info anywhere.
Is it because spring-data-jdbc only work with Spring Boot 2.x / Spring Framework 5.x?
Specifically I want to use #Query, #EnableJdbcRepositories, etc.
When I look at the release notes for Spring Data Ingalls SR20 (the release train that matches Boot 1.5.20.RELEASE / Framework 4.3.23.RELEASE) it looks like spring-data-jdbc is only supported in Lovelace (Boot 2.x and Framework 5.x): https://spring.io/blog/2019/04/10/spring-data-lovelace-sr6-kay-sr14-ingalls-sr20-released
EDIT & ANSWER: As per comment from #JensSchauder: spring-data-jdbc is a (fairly) new project created from scratch. There is no way to use it with Spring Framework 4.
If you look at the spring-data-jdbc pom.xml it uses spring-data-parent to manage Spring Framework version by defining and applying spring.version property. You must ensure that this Spring Framework version is compatible with whatever version you are using.
The first available spring-data-jdbc:1.0.0.RELEASE version uses spring-data-parent:2.1.0.RELEASE parent which requires Spring Framework 5.1:
<spring>5.1.0.RELEASE</spring>
It's not be recommended to use spring-data-jdbc with lower Spring Framework version. Since Spring Boot 1.5.X uses Spring Framework 4.X the answer would be no.
our application currently uses JBoss Portal with JAAS as the authentication/authorization mechanism. The version of Spring we are currently using is 3.2.14. For various reasons we are unable to upgrade Spring right now.
We are going to be migrating to Spring Security shortly and are wondering if Spring Security 4.2.2 will be compatible with Spring 3.2.14. My thoughts are that since Spring Security is a separate project it should be OK?
I can't seem to find any information on the compatibility issues between major versions of Spring and major versions of Spring Security.
For Spring Security 4.2.2, the minimum recommended Spring version is 4.3.5.
This is stated in the SpringSecurityCoreVersion class which is located in the org.springframework.security.core package.