Upgrade SpringFrameworkt to v3.2.12 and remove spring-asm #14

dzc34 · 2017-01-14T21:50:56Z

Vulnerability

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6429

The Spring MVC in Spring Framework before 3.2.4
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7315

The Spring OXM wrapper in Spring Framework before 3.2.4
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4152

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1904

Directory traversal vulnerability in Spring Framework 3.x before 3.2.9
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578

Directory traversal vulnerability in Spring Framework 3.0.4 through 3.2.x before 3.2.12
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3625

Solution

         <dependency>
             <groupId>org.springframework</groupId>
             (...)
-            <version>3.1.2.RELEASE</version>
+            <version>3.2.12.RELEASE</version>
         </dependency>

-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-asm</artifactId>
-            <version>3.1.2.RELEASE</version>
-        </dependency>

no need to add this spring-asm dependency

from release notes for 3.2 :
"we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core"

http://stackoverflow.com/questions/19800004/why-is-there-no-spring-asm-3-2-4-release-jar

https://spring.io/blog/2012/09/12/spring-framework-3-2-m2-released"

"In Spring Framework 3.2, spring-asm is upgraded to org.objectweb.asm 4.0 and included in spring-core. Now there is no need to add this spring-asm dependency." source

The text was updated successfully, but these errors were encountered:

Fixed Asqatasun#13 - Upgraded Apache.HttpComponents HttpClient to v4.3.6 Fixed Asqatasun#14 - Upgraded SpringFrameworkt to v3.2.12 and remove spring-asm Fixed Asqatasun#15 - Removed commons-httpclient dependency

* upgrading-dependencies: Fixed Asqatasun#16 - Changed JSTL artifact (jstl:jstl -> org.apache.taglibs:taglibs-standard-jstlel) Fixed Asqatasun#15 - Removed commons-httpclient dependency Fixed Asqatasun#14 - Upgraded SpringFrameworkt to v3.2.12 and remove spring-asm Fixed Asqatasun#13 - Upgraded Apache.HttpComponents HttpClient to v4.3.6

---------------------- set version to 0.4.2 Updated CHANGELOG Fixed Asqatasun#16 - Changed JSTL artifact (jstl:jstl -> org.apache.taglibs:taglibs-standard-jstlel) Fixed Asqatasun#15 - Removed commons-httpclient dependency Fixed Asqatasun#14 - Upgraded SpringFrameworkt to v3.2.12 and remove spring-asm Fixed Asqatasun#13 - Upgraded Apache.HttpComponents HttpClient to v4.3.6 updated CONTRIBUTING.md fixed Asqatasun#11 - color contrast falling for links fixed Asqatasun#10 - color contrast failing for "the color should be between (...)" Dockerfile : typo set version to 0.4.2-dev

dzc34 added the type: security label Jan 14, 2017

dzc34 self-assigned this Jan 14, 2017

dzc34 closed this as completed in 2990623 Jan 14, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade SpringFrameworkt to v3.2.12 and remove spring-asm #14

Upgrade SpringFrameworkt to v3.2.12 and remove spring-asm #14

dzc34 commented Jan 14, 2017

Upgrade SpringFrameworkt to v3.2.12 and remove spring-asm #14

Upgrade SpringFrameworkt to v3.2.12 and remove spring-asm #14

Comments

dzc34 commented Jan 14, 2017

Vulnerability

Solution

no need to add this spring-asm dependency