[Security] Bump spring.version from 4.2.0.RELEASE to 5.2.1.RELEASE

[dependabot-preview]

Bumps spring.version from 4.2.0.RELEASE to 5.2.1.RELEASE.

Updates spring-core from 4.2.0.RELEASE to 5.2.1.RELEASE This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core and org.springframework.security:spring-security-core
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Affected versions: < 4.3.1

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Affected versions: < 4.3.16

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Affected versions: < 4.3.15

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected versions: < 4.3.15

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected versions: < 4.3.16

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.springframework:spring-core
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Affected versions: < 4.3.17

Release notes

Sourced from spring-core's releases.

v5.2.1.RELEASE

⭐ New Features

• Support for limits on input stream processing in WebFlux codecs #23884
• Race condition affecting performance in AbstractJaxb2HttpMessageConverter - JAXBContext creation #23879
• Add RSocketRequester retrieveAndAwaitOrNull extension #23874
• Support unidirectional @AliasFor attribute mapping within an annotation #23834
• Allow setting primary flag on BeanDefinitionBuilder #23794
• Introduce sessionAttributeDoesNotExist in RequestResultMatchers #23756
• EventPublishingTestExecutionListener is not included in JUnit 4 and TestNG base classes #23748
• Optimize Connection.setReadOnly(false) in DataSourceUtils.resetConnectionAfterTransaction(…) #23747
• Handling of ResponseStatusException to also include setting of response headers #23741
• Fix OkHttp3ClientHttpRequestFactory shutdown flow #23628

🪲 Bug Fixes

• Reorder date formatting converter in registrar #23893
• Revisit @Configuration(proxyBeanMethods = false) with qualified injection points #23887
• Fixing NPE in AbstractNamedValueMethodArgumentResolver #23882
• WebClient onStatus order changed #23880
• TransactionalOperator::transactional does not close the transaction when cancelled #23864
• Remove unused type parameter declarations in XpathRequestMatchers #23860
• Remove unused type parameter declarations in MockMvc #23858
• Repeatable annotation container no longer found on custom composed annotation #23856
• Missing CORS headers defined in SockJS CORS configuration #23843
• Consider target transaction manager for traditional vs reactive transaction decision #23832
• InaccessibleObjectException after upgrading to Framework 5.2 #23829
• Incorrect value of the MediaType.APPLICATION_PROBLEM_JSON_UTF8 #23825
• Autowiring performance degradation due to 5.2's MethodParameter.getParameterType() implementation #23792
• Preserve expires attribute in MockCookie #23769
• Regression: attribute override configured via @AliasFor no longer honored in annotation hierarchy #23767
• spring 5.2 dist.zip naming issue #23745
• MockServletContext should treat InvalidPathException like an IOException #23717

📔 Documentation

• Update Spring Boot references in testing documentation #23848
• Fix typo in rsocket doc #23762
• Fixes broken links to dev.java.net #23746
• Fix typo in web-uris doc #23739
• Update documentation for importing projects into Eclipse #23706

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR1 #23871

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)

Commits

• 21d751d Release version 5.2.1.RELEASE
• 89fc0f2 Fix typo in docs
• 2d208de Clear connection pool for OkHttpClient
• 3858a69 Path RequestPredicate should honor servlet path
• 95af079 Document unidirectional @​AliasFor attribute mapping support
• 005d201 Refine changes for PR
• 64f2beb Fixing NPE in AbstractNamedValueMethodArgumentResolver
• fd96788 Use int for maxParts instead of long
• 3691c18 Preserve order of onStatus handlers
• 74b7b55 Make MBeanServer tests more robust
• Additional commits viewable in compare view

Updates spring-context from 4.2.0.RELEASE to 5.2.1.RELEASE

Release notes

Sourced from spring-context's releases.

v5.2.1.RELEASE

⭐ New Features

• Support for limits on input stream processing in WebFlux codecs #23884
• Race condition affecting performance in AbstractJaxb2HttpMessageConverter - JAXBContext creation #23879
• Add RSocketRequester retrieveAndAwaitOrNull extension #23874
• Support unidirectional @AliasFor attribute mapping within an annotation #23834
• Allow setting primary flag on BeanDefinitionBuilder #23794
• Introduce sessionAttributeDoesNotExist in RequestResultMatchers #23756
• EventPublishingTestExecutionListener is not included in JUnit 4 and TestNG base classes #23748
• Optimize Connection.setReadOnly(false) in DataSourceUtils.resetConnectionAfterTransaction(…) #23747
• Handling of ResponseStatusException to also include setting of response headers #23741
• Fix OkHttp3ClientHttpRequestFactory shutdown flow #23628

🪲 Bug Fixes

• Reorder date formatting converter in registrar #23893
• Revisit @Configuration(proxyBeanMethods = false) with qualified injection points #23887
• Fixing NPE in AbstractNamedValueMethodArgumentResolver #23882
• WebClient onStatus order changed #23880
• TransactionalOperator::transactional does not close the transaction when cancelled #23864
• Remove unused type parameter declarations in XpathRequestMatchers #23860
• Remove unused type parameter declarations in MockMvc #23858
• Repeatable annotation container no longer found on custom composed annotation #23856
• Missing CORS headers defined in SockJS CORS configuration #23843
• Consider target transaction manager for traditional vs reactive transaction decision #23832
• InaccessibleObjectException after upgrading to Framework 5.2 #23829
• Incorrect value of the MediaType.APPLICATION_PROBLEM_JSON_UTF8 #23825
• Autowiring performance degradation due to 5.2's MethodParameter.getParameterType() implementation #23792
• Preserve expires attribute in MockCookie #23769
• Regression: attribute override configured via @AliasFor no longer honored in annotation hierarchy #23767
• spring 5.2 dist.zip naming issue #23745
• MockServletContext should treat InvalidPathException like an IOException #23717

📔 Documentation

• Update Spring Boot references in testing documentation #23848
• Fix typo in rsocket doc #23762
• Fixes broken links to dev.java.net #23746
• Fix typo in web-uris doc #23739
• Update documentation for importing projects into Eclipse #23706

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR1 #23871

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)

Commits

• 21d751d Release version 5.2.1.RELEASE
• 89fc0f2 Fix typo in docs
• 2d208de Clear connection pool for OkHttpClient
• 3858a69 Path RequestPredicate should honor servlet path
• 95af079 Document unidirectional @​AliasFor attribute mapping support
• 005d201 Refine changes for PR
• 64f2beb Fixing NPE in AbstractNamedValueMethodArgumentResolver
• fd96788 Use int for maxParts instead of long
• 3691c18 Preserve order of onStatus handlers
• 74b7b55 Make MBeanServer tests more robust
• Additional commits viewable in compare view

Updates spring-test from 4.2.0.RELEASE to 5.2.1.RELEASE

Release notes

Sourced from spring-test's releases.

v5.2.1.RELEASE

⭐ New Features

• Support for limits on input stream processing in WebFlux codecs #23884
• Race condition affecting performance in AbstractJaxb2HttpMessageConverter - JAXBContext creation #23879
• Add RSocketRequester retrieveAndAwaitOrNull extension #23874
• Support unidirectional @AliasFor attribute mapping within an annotation #23834
• Allow setting primary flag on BeanDefinitionBuilder #23794
• Introduce sessionAttributeDoesNotExist in RequestResultMatchers #23756
• EventPublishingTestExecutionListener is not included in JUnit 4 and TestNG base classes #23748
• Optimize Connection.setReadOnly(false) in DataSourceUtils.resetConnectionAfterTransaction(…) #23747
• Handling of ResponseStatusException to also include setting of response headers #23741
• Fix OkHttp3ClientHttpRequestFactory shutdown flow #23628

🪲 Bug Fixes

• Reorder date formatting converter in registrar #23893
• Revisit @Configuration(proxyBeanMethods = false) with qualified injection points #23887
• Fixing NPE in AbstractNamedValueMethodArgumentResolver #23882
• WebClient onStatus order changed #23880
• TransactionalOperator::transactional does not close the transaction when cancelled #23864
• Remove unused type parameter declarations in XpathRequestMatchers #23860
• Remove unused type parameter declarations in MockMvc #23858
• Repeatable annotation container no longer found on custom composed annotation #23856
• Missing CORS headers defined in SockJS CORS configuration #23843
• Consider target transaction manager for traditional vs reactive transaction decision #23832
• InaccessibleObjectException after upgrading to Framework 5.2 #23829
• Incorrect value of the MediaType.APPLICATION_PROBLEM_JSON_UTF8 #23825
• Autowiring performance degradation due to 5.2's MethodParameter.getParameterType() implementation #23792
• Preserve expires attribute in MockCookie #23769
• Regression: attribute override configured via @AliasFor no longer honored in annotation hierarchy #23767
• spring 5.2 dist.zip naming issue #23745
• MockServletContext should treat InvalidPathException like an IOException #23717

📔 Documentation

• Update Spring Boot references in testing documentation #23848
• Fix typo in rsocket doc #23762
• Fixes broken links to dev.java.net #23746
• Fix typo in web-uris doc #23739
• Update documentation for importing projects into Eclipse #23706

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR1 #23871

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

... (truncated)

Commits

• 21d751d Release version 5.2.1.RELEASE
• 89fc0f2 Fix typo in docs
• 2d208de Clear connection pool for OkHttpClient
• 3858a69 Path RequestPredicate should honor servlet path
• 95af079 Document unidirectional @​AliasFor attribute mapping support
• 005d201 Refine changes for PR
• 64f2beb Fixing NPE in AbstractNamedValueMethodArgumentResolver
• fd96788 Use int for maxParts instead of long
• 3691c18 Preserve order of onStatus handlers
• 74b7b55 Make MBeanServer tests more robust
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)