Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.springframework.boot:spring-boot-actuator to v2.7.18 [security] - autoclosed #1155

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 18, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-actuator (source) 2.3.12.RELEASE -> 2.7.18 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • org.springframework.boot:spring-boot-actuator is on the classpath

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-actuator)

v2.7.18

Compare Source

⚠️ Noteworthy Changes
  • Following the Paketo team's announcement that the Bionic CNB builders will be removed, the default builder using by bootBuildImage (Gradle) and spring-boot:build-image (Maven) has been changed to Paketo Jammy #​38477
🐞 Bug Fixes
  • App fails to start with a NoSuchMethodError when using Flyway 10.0.0 #​38164
  • spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int #​38146
  • Mail health indicator fails when host is not set in properties #​38007
📔 Documentation
  • Document supported SQL comment prefixes #​38385
  • Fix link to Elasticsearch health indicator #​38330
  • Improve --help and documentation for "encodepassword -a/--algorithm" in the Spring Boot CLI #​38203
  • Document that TomcatConnectorCustomizers are not applied to additional connectors #​38183
  • MyErrorWebExceptionHandler example in documentation isn't working #​38104
  • Document that SerializationFeature.WRITE_DURATIONS_AS_TIMESTAMPS is disabled by default #​38083
  • Update "Running Behind a Front-end Proxy Server" to include reactive and ForwardedHeaderTransformer #​37282
  • Improve documentation of classpath.idx file and its generation by the Maven and Gradle plugins #​37125
  • Document configuration for building images with Colima #​34522
  • Code sample in "Developing Your First Spring Boot Application" does not work #​34513
  • Document ConfigurationPropertyCaching #​34172
  • Document that application.* banner variables require a packaged jar or the use of Boot's launcher #​33489
  • Add section on AspectJ support #​32642
  • Document server.servlet.encoding.* properties and server.servlet.encoding.mapping in particular #​32472
  • Add a section on customizing embedded reactive servers #​31917
  • Clarify that MVC components provided through WebMvcRegistrations are subject to subsequent processing and configuration by MVC #​31232
  • Clarifying documentation on including a top-level @TestConfiguration class in a test #​30513
  • Clarify that @AutoConfigureWebTestClient binds WebTestClient to mock infrastructure #​29890
  • Improve systemd configuration documentation #​28453
  • Document how to customize the basePackages that auto-configurations consider (for example Spring Data Repositories) #​27549
  • Document additional user configuration that's required after setting spring.hateoas.use-hal-as-default-json-media-type to false #​26814
  • Add how-to documentation for test-only database migrations with Flyway/Liquibase #​26796
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GVictorG7, @​PENEKhun, @​dreis2211, and @​izeye

v2.7.17

Compare Source

⚠️ Noteworthy Changes
  • The behavior of spring.jms.listener.concurrency has been corrected to match the documentation (#​37180). If you were setting spring.jms.listener.concurrency without also setting spring.jms.listener.max-concurrency, please review your configuration when upgrading.
🐞 Bug Fixes
  • @Order does not work on (CommandLine|Application)Runner @Bean methods #​37905
  • Gradle plugin uses to-be-deprecated API for getting and setting file permissions #​37878
  • Task executor metrics are not registered when using lazy initialization #​37832
  • Constructor binding with a custom collection type does not work #​37734
  • Dependency management for kafka-server-common with a test classifier is missing #​37499
  • fileMode and dirMode are not applied to all entries in an archive produced by BootJar #​37496
  • Gradle plugin's build info support produces a deprecation warning when using Gradle 8.4-rc-1 #​37493
  • RepackageMojo doesn't support 1 digit numerical values for project.build.outputTimestamp #​37438
  • Restarter creates memory leak in tests #​37373
  • Contrary to the documentation, setting spring.jms.listener.concurrency alone configures the maximum concurrency #​37180
  • Application fails to start when an optional config import cannot be resolved #​35683
  • @ComponentScan on a test class is processed when creating a test context but is not included in the context's cache key #​31577
  • AspectJ transaction management with compile-time weaving does not work with spring.main.lazy-initialization=true #​37506
📔 Documentation
  • Remove link to LiveReload website due to timeout #​37643
  • Refer to ActiveMQ as ActiveMQ "Classic" #​37606
  • Use more idiomatic Kotlin in example for "Map Health Indicators to Micrometer Metrics" #​37491
  • Document support for Java 21 #​37371
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bottlerocketjonny, @​dependabot[bot], @​erichaagdev, @​esperar, @​izeye, @​jbertram, @​nielsbasjes, @​onobc, @​ttddyy, and @​vpavic

v2.7.16

Compare Source

⭐ New Features
  • Add TWENTY_ONE to JavaVersion enum #​37362
🐞 Bug Fixes
  • Invalid Accept header produces HTTP 500 in WelcomePageHandlerMapping #​37455
  • PrivateKeyParser doesn't support ed448, XDH and RSA-PSS keys #​37237
  • Parsing OCI image names that are invalid due to the use of upper case letters is very slow #​35657
  • Using https with elliptic curves other than secp384r1 fails #​34232
  • Saml2RelyingPartyAutoConfiguration ignores sign-request when metadata-url is used #​33747
  • Leaking file descriptor / socket within DomainSocket tooling #​32423
📔 Documentation
  • Correct the description of spring.artemis.broker-url #​37260
  • Add default value metadata for management.metrics.export.signalfx.published-histogram-type #​37210
  • Document that PKCS8 PEM files should be used whenever possible #​37170
  • Polish javadoc #​37112
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot], @​hakan-krgn, @​izeye, @​mdeinum, and @​quaff

v2.7.15

Compare Source

⚠️ Noteworthy Changes
  • This release upgrades to MariaDB 3.1.4 from 3.0.x to restore compatibility with Java 8. If the upgrade is problematic and Java 8 compatibility is not a requirement, downgrade to 3.0.x by using the mariadb.version property
🐞 Bug Fixes
  • Artemis ConnectionFactory is not configured when CachingConnectionFactory is missing and enabled properties are false #​36767
  • server.max-http-request-header-size doesn't affect Netty server with http2 enabled #​36766
  • LogbackLoggingSystem does not report suppressed exception details #​36645
  • Tomcat warns about a missing +/- prefix when enabling multiple protocols through server.ssl.enabled-protocols #​36572
  • Descriptions of started and ready time metrics contain time units but the unit may change when the metrics are exported #​36507
  • management.metrics.export.wavefront properties are incomplete #​36498
  • management.metrics.export.signalfx properties are incomplete #​36497
  • management.metrics.export.atlas properties are incomplete #​36496
  • Script-based database initialization fails with an unhelpful error message when configured with a resource that points to a directory #​36386
  • JobLauncherApplicationRunner returns a success exit code even when no jobs have been run #​36060
  • DatabaseDriver swallows real exception #​34728
  • Application Context initialized twice during test when exception thrown during initialization #​24888
📔 Documentation
  • Maven plugin docs contain invalid parameter for image building #​37048
  • Align javadoc of AbstractFilterRegistrationBean#setDispatcherTypes #​36965
  • Update RestTemplateBuilder#defaultHeader javadoc to reference correct client-side HTTP request class #​36614
  • @since is missing from javadoc of values added to JavaVersion since its introduction #​36608
  • Document that server.forward-headers-strategy property defaults to native when running on Kubernetes #​36564
  • Clarify the effect of using @EnableWebMvc #​36506
  • Documentation of spring.redis.url incorrectly states that it does not override spring.redis.user #​36477
  • Improve documentation to describe how @EntityScan and @Enable?Repositories can be used to tune scanning #​36282
  • Document that scripts for database initialization are optional by default and how they can be made mandatory #​36176
  • Document @DataR2dbcTest support #​35014
  • Update expected size of the jar file in the first application getting started documentation #​34514
  • Improve documentation of spring.cache.type=none #​33694
  • Clarify that spring.security.filter properties only apply to servlet-based web apps #​33551
  • Describe quirks of JUL and Log4j2 in the javadoc of OutputCaptureExtension #​32562
  • Documentation describes how to opt in to using the path pattern parser but it's now the default #​32557
  • Clarify table that shows how logging properties are transferred to system properties #​32160
  • Rework Working with NoSQL Technologies to clarify which stores are supported by Spring Data #​29694
  • Clarify how nested directories are treated for configtree with wildcards #​28203
  • Document defaults for spring.mvc.format.* and spring.webflux.format.* properties #​30041
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​MahatmaFatalError, @​NersesAM, @​chicobento, @​dependabot[bot], @​dreis2211, @​eddumelendez, @​elevne, @​fzyzcjy, @​itsAkshayDubey, @​izeye, @​msobeck, @​rob-valor, @​spa-abaudat, and @​vpavic

v2.7.14

Compare Source

🐞 Bug Fixes
  • Only one health group can be exposed using management.endpoint.health.group.xxx.additional-path=server:/newpath when using Jersey #​36250
  • MockitoPostProcessor doesn't check FactoryBean.OBJECT_TYPE_ATTRIBUTE correctly #​36224
  • ConfigurationPropertiesReportEndpoint does not display primitive wrapper types #​36076
  • When using Flyway 9.20.0, auto-configuration fails with a NoSuchMethodError due to the removal of Oracle-related methods from FluentConfiguration #​36029
  • Saml2RelyingPartyRegistrationConfiguration can choose the wrong RelyingPartyRegistration.Builder when using a metadata file with multiple providers #​35902
  • ImportsContextCustomizer does not support AliasFor #​34917
  • ConfigurationPropertyName#equals is not symmetric when element has trailing dashes #​34804
📔 Documentation
  • Add Javadoc since to ImageReference.inTaglessForm() #​36048
  • Polish Kafka Properties Docs #​36032
  • Fix typo in the Using R2DBC section of the reference documentation #​36019
  • Improve Kubernetes liveness and readiness probes customization documentation #​34978
  • Document auto-configuration of underlying HTTP client when using WebClient or RestTemplate #​34136
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ThomazPassarelli, @​bbulgarelli, @​bedla, @​dependabot[bot], @​dkswnkk, @​eydunn, @​garyrussell, @​izeye, @​lasselindqvist, @​lmartelli, and @​quaff

v2.7.13

Compare Source

🐞 Bug Fixes
  • Spring Boot properties migrator can create circular references #​35919
  • Devtools does not support package-private main classes #​35858
  • Java 20 is supported but there's no value for it in the JavaVersion enum #​35758
  • Processing of @EndpointCloudFoundryExtension logs a warnings as it does not use @AliasFor on its override of the endpoint attribute #​35716
  • Actuator loggers list endpoint throws exception on Log4J2 loggers with custom log levels #​35227
  • Validation is not applied for ConfigurationProperties that implement Validator and use @ConstructorBinding #​33669
📔 Documentation
  • Description of spring.data.mongodb.uri property incorrectly states that it overrides spring.data.mongodb.database #​35686
  • Update description of spring-boot-starter-data-rest to clarify that it uses Spring MVC #​35678
  • Move property notes up to external configuration section #​35662
  • Document audience support in OAuth2 resource server #​35286
  • Add @DynamicPropertySource to documented list of property source ordering #​32901
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bbulgarelli, @​bikash30851, and @​twobiers

v2.7.12

Compare Source

🐞 Bug Fixes
  • Welcome page may return a 404 when an acceptable response cannot be produced #​35552
  • Invalid reference format error when tagging images using Podman #​35358
  • FactoryBean.getObject for non-singleton executed when resetting mocks #​35324
  • Can't use PEM encoded PKCS#8 EC keys with server.ssl.certificate-private-key #​35322
  • Webflux server gracefulshutdown throws NullPointerException #​35264
  • Health actuator mail details shows the port as -1 when using the default port #​35247
  • SessionRepositoryFilterConfiguration can cause early initialization of SessionRepository beans including Redis #​35240
  • Devtools main method search algorithm can find incorrect main method #​35214
  • When a WebFlux app is deployed to Cloud Foundry some metrics are lost and numerous beans are ineligible for post-processing #​35163
  • Liveness and readiness probes return down when lazy initialization is enabled #​35161
  • Treating a null Flyway-specific password as an empty string prevents the use of PGPASS for authentication #​35110
  • WebClient auto-configuration tries to use HttpComponentsClientHttpConnector when all required classes are not present #​34964
  • MinIdle and MaxValidationTime properties missing for R2DBC pools #​34724
📔 Documentation
  • Polish formatting of permitAll() endpoint security Kotlin example #​35454
  • Wrong anchors in Maven plugin documentation #​35371
  • Correct list of annotations that are equivalent to @SpringBootApplication #​35180
  • Harmonize references to application.yaml files in reference docs #​34628
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​JunJaBoy, @​aasaru, @​davin111, and @​ivandimitrov8080

v2.7.11

Compare Source

🐞 Bug Fixes
  • CloudFoundry integration does not use endpoint path mappings #​35085
  • Gradle Spring Boot plugin with Kotlin DSL does not support includeProjectDependencies in bootJar > layered > dependencies configuration #​35033
  • Banner placeholders use default values too soon #​34764
  • Cassandra default configuration substitutions don't resolve against configuration derived from spring.data.cassandra properties #​34643
  • ApplicationAvailability bean is auto-configured even if a custom one is already present #​34347
  • Nested test classes don't inherit properties from slice test annotations on enclosing class #​33317
📔 Documentation
  • Use current Neo4j version in Testcontainers-based examples #​34775
  • Clarify servlet container compatibility #​34697
  • Document that optional dependencies are included by default in fat jars built with Maven #​34636
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​SeasonPanPan, @​acktsap, @​dreis2211, @​jgslima, @​krzyk, and @​meistermeier

v2.7.10

Compare Source

🐞 Bug Fixes
  • Some of the deprecated spring.security.saml2.relyingparty.registration.*.identityprovider.* properties are ignored #​34525
  • Maven plugin uses timezone-local timestamps when outputTimestamp is used #​34424
  • Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #​34405
  • EmbeddedWebServerFactoryCustomizerAutoConfiguration should not run when embedded web server is not configured #​34332
  • Image builds with podman fail when image buildpacks are configured #​34324
  • org.springframework.boot.web.embedded.jetty.GracefulShutdown uses the wrong class to create its logger #​34220
  • StandardConfigDataResource can import the same file twice if the classpath includes '.' #​34212
📔 Documentation
  • Document support for Java 20 #​34642
  • Update two references to old APIs #​34567
  • Clarify conventions for custom error pages in WebFlux #​34534
  • Add documentation tip showing how to configure publishRegistry Maven properties from the command line #​34517
  • Document support for Gradle 8 #​34458
  • Document how to get socket location for image building configuration with podman #​34435
  • Fix typo in Encrypting Properties #​34386
  • Use plugins DSL consistently in Spring Boot Gradle Plugin docs #​34048
  • Add link to Failover starter #​32943
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​1993heqiang, @​anandmnair, @​anthonydahanne, @​dsyer, @​izeye, @​jongwooo, and @​terminux

v2.7.9

Compare Source

🐞 Bug Fixes

  • Maven Plugin's PropertiesMergingResourceTransformer closes InputStream when it should not do so #​34063
  • Actuator Health web endpoint broken with Gson and Java 17 #​34030
  • Dependency management for Mongo's Java Driver is incomplete #​33941
  • Using devtools with Reactive application results in slower restarts #​33855
  • Spies are not reset after test execution when using @SpyBean #​33830
  • Properties Migrator does not detect properties of Map type that are marked as deprecated #​27854

📔 Documentation

  • Updated documentation for @ConfigurationProperties bean naming rules #​34029
  • Restore "Use Jedis Instead of Lettuce" how-to documentation #​33994
  • Add Redis application properties example #​33965
  • Use Maven Central for release downloads in CLI installation documentation #​33962
  • Actuator section is missing from documentation overview #​33932
  • Add Javadoc since to OperationParameter.getAnnotation() #​33914
  • Document additional configuration that is required for spring.mvc.throw-exception-if-no-handler-found=true to be effective #​31660

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Anubhav-2000, @​enimiste, @​izeye, @​jprinet, @​marcel-wollschlaeger, @​mhalbritter, @​michaldo, and @​sannanansari

v2.7.8

Compare Source

⭐ Noteworthy

🐞 Bug Fixes

  • Devtools sets non-existent property spring.reactor.debug #​33858
  • Failing calls to reactive health indicators are not logged #​33774
  • Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #​33765
  • NPE in RabbitProperties when user is given, but password not #​33752
  • SDKMAN should not use repo.spring.io for releases #​33708
  • Homebrew and Scoop should not use repo.spring.io for releases #​33702
  • EndpointRequestMatcher should have a toString method #​33690
  • It is not possible to provide a custom TransactionProvider bean for JOOQ #​32899
  • SpringBootMockResolver causes AopTestUtils.getUltimateTargetObject to recurse until the stack overflows when it calls it with Spring Security's authentication manager bean #​32632
  • Inconsistent discovery of parameter names for selectors in custom actuator endpoints #​31240
  • @DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #​29526
  • Headless mode is forced when banner.* file is present. #​28803
  • Diagnostics are poor when the JMX port used by the Maven start goal is in use #​24044

📔 Documentation

  • Replace "via" in documentation and use "over" or "through" instead #​33878
  • Fix typo in k

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the 'security' label Nov 18, 2024
@renovate renovate bot changed the title fix(deps): update dependency org.springframework.boot:spring-boot-actuator to v2.7.18 [security] fix(deps): update dependency org.springframework.boot:spring-boot-actuator to v2.7.18 [security] - autoclosed Nov 19, 2024
@renovate renovate bot closed this Nov 19, 2024
@renovate renovate bot deleted the renovate/maven-org.springframework.boot-spring-boot-actuator-vulnerability branch November 19, 2024 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants