Update Spring boot qs due to CVE
Closed this issue · 1 comments
renedupont commented
Hello,
due to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement I propose to update the spring boot version to 2.6.6.
As far as I understood we most likely won't have issues with it because we usually don't package as .war files which seems to be a requirement to be impacted according to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted but I guess it is still worth upgrading just in case.
renedupont commented
Well actually, looking at https://github.com/opendevstack/ods-quickstarters/blob/master/be-java-springboot/Jenkinsfile#L23
- and considering this
.RELEASEsuffix hasn't been used since version 2.4 anymore (check https://mvnrepository.com/artifact/org.springframework.boot/spring-boot) - and assuming the spring initializr would take the default in case of unvalid value
we have been unintentionally on the latest automatically for quite some time 😆.