·
9617 commits
to main
since this release
This backport release includes a few fixes to build locally, as well as backports of fixes for the following CVEs:
- CVE-2022-22976: BCrypt skips salt rounds for work factor of 31 (link)
- CVE-2022-22978: Authorization Bypass in RegexRequestMatcher (link)
Note that this is technically a breaking release and doesn't follow Semantic Versioning as it includes backports of code from Spring Security 5.3 that uses JDK 8 constructs, and thus the build was updated to generate jars compatible with JDK 8 and above, rather than the 1.6 that Spring Security 4.2.x was previously compatible with.
Full Changelog: 4.2.20.RELEASE...v4.2.21.RELEASE_1.ONMS.1