Bump spring-framework-bom from 5.3.25 to 5.3.26

[dependabot]

Bumps spring-framework-bom from 5.3.25 to 5.3.26.

Release notes

Sourced from spring-framework-bom's releases.

v5.3.26

⭐ New Features

• Improve diagnostics in SpEL for matches operator #30145
• Improve diagnostics in SpEL for repeated text #30143
• Increase scope of regex pattern cache for the SpEL matches operator #30141
• Minor updates in HandlerMappingIntrospector #30128
• Allow SnakeYaml 2.0 runtime compatibility #30097
• Add missing @Nullable annotations to LogMessage.format methods #30009
• ASM upgrade for JDK 20/21 support #29966
• Allow MockRest to match header/queryParam value list with one Matcher #29964
• Add MockMvc.multipart() Kotlin extensions with HttpMethod #29941
• Release R2DBC connection when cleanup fails in transaction #29925
• org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #29909
• Improve generated default name for @JmsListener subscription #29902
• Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #29888
• SQL supplier in R2DBC DatabaseClient is eagerly invoked #29887
• Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #29867
• Possible infinite forward loop with MockMvcWebConnection #29866
• Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #29860
• Fix R2dbcTransactionManager debug log: don't log a Mono #29824

🐞 Bug Fixes

• RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #30121
• SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #30118
• CaffeineCacheManager getCache method cause thread block #30085
• Protect JMS connection creation against prepareConnection errors #30051
• ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #29974
• WebSocket stats not updated correctly when sessions cleared #29947
• Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #29914
• Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #29908
• Invalid Accept header results in IllegalStateException #29836
• JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #29256

📔 Documentation

• Fix minor spacings in webflux docs #30095
• @AspectJ argument name resolution algorithm is outdated in reference manual #30057
• Fix "Configuring a Global Date and Time Format" example #30036
• Consistent @Bean method return type for equivalence with XML example #29970
• Update @DynamicPropertySource examples regarding changes in Testcontainers #29940
• Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #29926
• Clearly document that DataClassRowMapper supports Java records #29922
• Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #29916

🔨 Dependency Upgrades

• Upgrade to Reactor Netty 2020.0.30 #30116

Commits

• 3540029 Release v5.3.26
• eafe3af Polishing and minor refactoring in HandlerMappingIntrospector
• 26e0343 Improve diagnostics in SpEL for matches operator
• 4d5e720 Improve diagnostics in SpEL for repeated text
• 430fc25 Increase scope of regex pattern cache for the SpEL matches operator
• 0882ca5 Polishing
• 94bbf85 Stop printing to System.out in SpEL tests
• 2c2ef12 Upgrade to Netty 4.1.90 and Checkstyle 10.9.1
• 120d512 Polishing (backported from main)
• 3ddf183 Update copyright headers
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Proposed changelog entries

• Bump spring-framework-bom from 5.3.25 to 5.3.26. Spring framework BOM 5.3.26 release notes

[MarkEWaite]

I was worried by the entry in the 5.3.26 changelog that says:

• Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #29867

But that issue is fixing an incompatibility that we never detected (as far as I can tell).

[MarkEWaite]

This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback.

/label ready-for-merge

[trash-80]

This should be backported to 387.x LTS to fix CVE-2023-20860

/label lts-candidate

[NotMyFault]

This should be backported to 387.x LTS to fix CVE-2023-20860

That vulnerability does not impact Jenkins.

[trash-80]

Thank you!
May I ask for further explanation of how it doesn't impact Jenkins?

[trash-80]

This should be backported to 387.x LTS to fix CVE-2023-20861
/label lts-candidate

[MarkEWaite]

May I ask for further explanation of how it doesn't impact Jenkins?

No further explanation is generally provided to explain why a CVE in a dependency does not impact Jenkins.

With regard to CVE’s in dependencies, the Jenkins security officer has said:

When a CVE has an impact to the security of Jenkins, we include it in an advisory, like CVE-2022-2048 in Jetty or CVE-2021-43859 in XStream

Instead of announcing a continuous flow of non-impacting vulnerabilities, our approach is to publish information only for those that we consider interesting, like critical score, widely spread, etc.
For them you will find an article in our blog, like: Log4Shell or SpringShell.

As far as I know, Jenkins does not use SPeL expressions, so a backport of this update will only silence security scanners without having any real impact on Jenkins security.