Sourced from The GitHub Security Advisory Database.

Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Affected versions: >= 5.3.0, < 5.3.8

Sourced from spring-security-web's releases.

5.5.0

⭐ New Features

• Configure user name used for Gradle CI builds #9747
• HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
• Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
• Restore Dependency Constraints for commons-codec and commons-logging #8836
• Stop CI Jobs on Forks #9717
• Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.7 #9750
• Update io.spring.nohttp to 0.0.8 #9753
• Update org.springframework to 5.3.7 #9754
• Update org.springframework.data to 2021.0.1 #9755
• Update r2dbc-spi-test to 0.8.5.RELEASE #9752
• Update spring-ldap-core to 2.3.4.RELEASE #9756
• Update to com.gradle.enterprise 3.6.1 #9764
• Update to Gradle. 6.9 #9758
• Update to Kotlin 1.5.0 #9763

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux
• @​talentedasian
• @​candrews
• @​marcusdacoregio

5.5.0-RC2

⏪ Breaking Changes

• Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
• Inline ResourceKeyConverterAdapter #9689

⭐ New Features

• Add Ability to Exclude Minor Version Bump #9709
• Add Task to Check if All Issues in GitHub Milestone are closed #9693
• rename master->main #9683
• Make Csrf cookie secure flag configurable (WebFlux) #9679
• Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
• Add RELEASE.adoc #9627

🔨 Dependency Upgrades

• Update ehcache to 2.10.9.2 #9712
• Update hibernate-entitymanager to 5.4.31.Final #9714

... (truncated)

Sourced from spring-security-web's changelog.

$ ./scripts/release/wait-for-done.sh 5.5.0

= Announce the release on Slack

• Announce via Slack on https://pivotal.slack.com/messages/spring-release[#spring-release], including the keyword +spring-security-announcing+ in the message. Something like:

.... spring-security-announcing 5.5.0 is available. ....

= Tag the release

• Tag the release and then push the tag

.... git tag 5.4.0-RC1 git push origin 5.4.0-RC1 ....

== 7. Update to Next Development Version

• Update gradle.properties version to next +SNAPSHOT+ version and then push

== 8. Update version on project page

The following command will update https://spring.io/projects/spring-security#learn with the new release version using the following parameters

- Replace with a https://github.com/settings/tokens[GitHub personal access token] that has a scope of public_repo - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1) - Replace with the previous release which will be removed from the listed versions (i.e. 5.5.0-M3)

[source,bash]

$ ./gradlew saganCreateRelease saganDeleteRelease -PgitHubAccessToken= -PnextVersion= -PpreviousVersion=

== 9. Update Release Notes on GitHub

Generate the Release Notes replacing:

• - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1)

---

$ ./gradlew generateChangelog -P

... (truncated)

• abd1001 Fix SpringNexsPublishPlugin spacing in root
• 39c5f3d Fix closeAndReleaseOssrhStagingRepository
• 05dd693 Delay until PublishAllJavaComponentsPlugin
• 0392495 Update GitHub Actions to use publishArtifacts
• 4d25115 opensaml4MainCompile
• 1491f2e Fix saml javadoc
• 777a275 fix bom
• b750f3b copyproperties for bom plugin
• b0f661f Revert "Map optional dependencies to Maven"
• d8e4f6c Revert "Management no longer operates on optional/provided to spring-security...
• Additional commits viewable in compare view

Sourced from spring-security-config's releases.

5.5.0

⭐ New Features

• Configure user name used for Gradle CI builds #9747
• HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
• Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
• Restore Dependency Constraints for commons-codec and commons-logging #8836
• Stop CI Jobs on Forks #9717
• Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.7 #9750
• Update io.spring.nohttp to 0.0.8 #9753
• Update org.springframework to 5.3.7 #9754
• Update org.springframework.data to 2021.0.1 #9755
• Update r2dbc-spi-test to 0.8.5.RELEASE #9752
• Update spring-ldap-core to 2.3.4.RELEASE #9756
• Update to com.gradle.enterprise 3.6.1 #9764
• Update to Gradle. 6.9 #9758
• Update to Kotlin 1.5.0 #9763

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux
• @​talentedasian
• @​candrews
• @​marcusdacoregio

5.5.0-RC2

⏪ Breaking Changes

• Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
• Inline ResourceKeyConverterAdapter #9689

⭐ New Features

• Add Ability to Exclude Minor Version Bump #9709
• Add Task to Check if All Issues in GitHub Milestone are closed #9693
• rename master->main #9683
• Make Csrf cookie secure flag configurable (WebFlux) #9679
• Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
• Add RELEASE.adoc #9627

🔨 Dependency Upgrades

• Update ehcache to 2.10.9.2 #9712
• Update hibernate-entitymanager to 5.4.31.Final #9714

... (truncated)

Sourced from spring-security-config's changelog.

$ ./scripts/release/wait-for-done.sh 5.5.0

= Announce the release on Slack

• Announce via Slack on https://pivotal.slack.com/messages/spring-release[#spring-release], including the keyword +spring-security-announcing+ in the message. Something like:

.... spring-security-announcing 5.5.0 is available. ....

= Tag the release

• Tag the release and then push the tag

.... git tag 5.4.0-RC1 git push origin 5.4.0-RC1 ....

== 7. Update to Next Development Version

• Update gradle.properties version to next +SNAPSHOT+ version and then push

== 8. Update version on project page

The following command will update https://spring.io/projects/spring-security#learn with the new release version using the following parameters

- Replace with a https://github.com/settings/tokens[GitHub personal access token] that has a scope of public_repo - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1) - Replace with the previous release which will be removed from the listed versions (i.e. 5.5.0-M3)

[source,bash]

$ ./gradlew saganCreateRelease saganDeleteRelease -PgitHubAccessToken= -PnextVersion= -PpreviousVersion=

== 9. Update Release Notes on GitHub

Generate the Release Notes replacing:

• - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1)

---

$ ./gradlew generateChangelog -P

... (truncated)

• abd1001 Fix SpringNexsPublishPlugin spacing in root
• 39c5f3d Fix closeAndReleaseOssrhStagingRepository
• 05dd693 Delay until PublishAllJavaComponentsPlugin
• 0392495 Update GitHub Actions to use publishArtifacts
• 4d25115 opensaml4MainCompile
• 1491f2e Fix saml javadoc
• 777a275 fix bom
• b750f3b copyproperties for bom plugin
• b0f661f Revert "Map optional dependencies to Maven"
• d8e4f6c Revert "Management no longer operates on optional/provided to spring-security...
• Additional commits viewable in compare view

Sourced from spring-security-taglibs's releases.

5.5.0

⭐ New Features

• Configure user name used for Gradle CI builds #9747
• HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
• Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
• Restore Dependency Constraints for commons-codec and commons-logging #8836
• Stop CI Jobs on Forks #9717
• Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.7 #9750
• Update io.spring.nohttp to 0.0.8 #9753
• Update org.springframework to 5.3.7 #9754
• Update org.springframework.data to 2021.0.1 #9755
• Update r2dbc-spi-test to 0.8.5.RELEASE #9752
• Update spring-ldap-core to 2.3.4.RELEASE #9756
• Update to com.gradle.enterprise 3.6.1 #9764
• Update to Gradle. 6.9 #9758
• Update to Kotlin 1.5.0 #9763

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux
• @​talentedasian
• @​candrews
• @​marcusdacoregio

5.5.0-RC2

⏪ Breaking Changes

• Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
• Inline ResourceKeyConverterAdapter #9689

⭐ New Features

• Add Ability to Exclude Minor Version Bump #9709
• Add Task to Check if All Issues in GitHub Milestone are closed #9693
• rename master->main #9683
• Make Csrf cookie secure flag configurable (WebFlux) #9679
• Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
• Add RELEASE.adoc #9627

🔨 Dependency Upgrades

• Update ehcache to 2.10.9.2 #9712
• Update hibernate-entitymanager to 5.4.31.Final #9714

... (truncated)

Sourced from spring-security-taglibs's changelog.

$ ./scripts/release/wait-for-done.sh 5.5.0

= Announce the release on Slack

• Announce via Slack on https://pivotal.slack.com/messages/spring-release[#spring-release], including the keyword +spring-security-announcing+ in the message. Something like:

.... spring-security-announcing 5.5.0 is available. ....

= Tag the release

• Tag the release and then push the tag

.... git tag 5.4.0-RC1 git push origin 5.4.0-RC1 ....

== 7. Update to Next Development Version

• Update gradle.properties version to next +SNAPSHOT+ version and then push

== 8. Update version on project page

The following command will update https://spring.io/projects/spring-security#learn with the new release version using the following parameters

- Replace with a https://github.com/settings/tokens[GitHub personal access token] that has a scope of public_repo - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1) - Replace with the previous release which will be removed from the listed versions (i.e. 5.5.0-M3)

[source,bash]

$ ./gradlew saganCreateRelease saganDeleteRelease -PgitHubAccessToken= -PnextVersion= -PpreviousVersion=

== 9. Update Release Notes on GitHub

Generate the Release Notes replacing:

• - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1)

---

$ ./gradlew generateChangelog -P

... (truncated)

• abd1001 Fix SpringNexsPublishPlugin spacing in root
• 39c5f3d Fix closeAndReleaseOssrhStagingRepository
• 05dd693 Delay until PublishAllJavaComponentsPlugin
• 0392495 Update GitHub Actions to use publishArtifacts
• 4d25115 opensaml4MainCompile
• 1491f2e Fix saml javadoc
• 777a275 fix bom
• b750f3b copyproperties for bom plugin
• b0f661f Revert "Map optional dependencies to Maven"
• d8e4f6c Revert "Management no longer operates on optional/provided to spring-security...
• Additional commits viewable in compare view

Sourced from spring-security-test's releases.

5.5.0

⭐ New Features

• Configure user name used for Gradle CI builds #9747
• HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
• Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
• Restore Dependency Constraints for commons-codec and commons-logging #8836
• Stop CI Jobs on Forks #9717
• Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.7 #9750
• Update io.spring.nohttp to 0.0.8 #9753
• Update org.springframework to 5.3.7 #9754
• Update org.springframework.data to 2021.0.1 #9755
• Update r2dbc-spi-test to 0.8.5.RELEASE #9752
• Update spring-ldap-core to 2.3.4.RELEASE #9756
• Update to com.gradle.enterprise 3.6.1 #9764
• Update to Gradle. 6.9 #9758
• Update to Kotlin 1.5.0 #9763

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux
• @​talentedasian
• @​candrews
• @​marcusdacoregio

5.5.0-RC2

⏪ Breaking Changes

• Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
• Inline ResourceKeyConverterAdapter #9689

⭐ New Features

• Add Ability to Exclude Minor Version Bump #9709
• Add Task to Check if All Issues in GitHub Milestone are closed #9693
• rename master->main #9683
• Make Csrf cookie secure flag configurable (WebFlux) #9679
• Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
• Add RELEASE.adoc #9627

🔨 Dependency Upgrades

• Update ehcache to 2.10.9.2 #9712
• Update hibernate-entitymanager to 5.4.31.Final #9714

... (truncated)

Sourced from spring-security-test's changelog.

$ ./scripts/release/wait-for-done.sh 5.5.0

= Announce the release on Slack

• Announce via Slack on https://pivotal.slack.com/messages/spring-release[#spring-release], including the keyword +spring-security-announcing+ in the message. Something like:

.... spring-security-announcing 5.5.0 is available. ....

= Tag the release

• Tag the release and then push the tag

.... git tag 5.4.0-RC1 git push origin 5.4.0-RC1 ....

== 7. Update to Next Development Version

• Update gradle.properties version to next +SNAPSHOT+ version and then push

== 8. Update version on project page

The following command will update https://spring.io/projects/spring-security#learn with the new release version using the following parameters

- Replace with a https://github.com/settings/tokens[GitHub personal access token] that has a scope of public_repo - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1) - Replace with the previous release which will be removed from the listed versions (i.e. 5.5.0-M3)

[source,bash]

$ ./gradlew saganCreateRelease saganDeleteRelease -PgitHubAccessToken= -PnextVersion= -PpreviousVersion=

== 9. Update Release Notes on GitHub

Generate the Release Notes replacing:

• - Replace with the milestone you are releasing now (i.e. 5.5.0-RC1)

---

$ ./gradlew generateChangelog -P

... (truncated)

• abd1001 Fix SpringNexsPublishPlugin spacing in root
• 39c5f3d Fix closeAndReleaseOssrhStagingRepository
• 05dd693 Delay until PublishAllJavaComponentsPlugin
• 0392495 Update GitHub Actions to use publishArtifacts
• 4d25115 opensaml4MainCompile
• 1491f2e Fix saml javadoc
• 777a275 fix bom
• b750f3b copyproperties for bom plugin
• b0f661f Revert "Map optional dependencies to Maven"
• d8e4f6c Revert "Management no longer operates on optional/provided to spring-security...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)