fix(deps): update dependency org.springframework:spring-core to v4 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework:spring-core	3.2.3.RELEASE -> 4.3.17.RELEASE

GitHub Vulnerability Alerts

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x (as well as other unsupported versions) rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

CVE-2014-3578

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

CVE-2015-5211

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-core)

v4.3.17.RELEASE: 4.3.17 Release

Compare Source

⭐ New Features

• Proper exception for controller method return types that do not work with MvcUriComponentsBuilder (e.g. final classes) [SPR-16710] #​21251
• Revise cache safety check to avoid performance regression in EAR packaged applications on WildFly [SPR-16714] #​21255
• Revise JCA MessageEndpoint exception logging and propagation [SPR-16717] #​21258
• Flag misguided evaluation attempts in OperatorMatches [SPR-16731] #​21272
• Expose configuration options for "selector" header [SPR-16732] #​21273
• Validate contextPath in RedirectView [SPR-16752] #​21293

🪲 Bug Fixes

• SpringFailOnTimeout loses original exception when triggering timeout in finally block [SPR-16716] #​21257
• Inconsistent getTypeForFactoryMethod results for parameterized factory method [SPR-16720] #​21261
• Generic constructor argument (e.g. ObjectProvider) fails to resolve for inner class [SPR-16734] #​21275
• AnnotationAwareOrderComparator uses Order instead of Priority for DecoratingProxy [SPR-16739] #​21280
• Exception swallowed in ResponseEntityExceptionHandler [SPR-16743] #​21284
• ConfigurationClassBeanDefinitionReader registers duplicate BeanDefinition for nested scoped component [SPR-16756] #​21297
• Misleading error message when evaluating T operator [SPR-16762] #​21303
• NPE in SimpleClient-HttpURLConnection with errorstream-buffering [SPR-16773] #​21313
• Singleton from a FactoryBean may be post-processed twice if the first post-processing triggers a second attempt to get the bean [SPR-16783] #​21323

v4.3.16.RELEASE: 4.3.16 Release

Compare Source

🪲 Bug Fixes

• EL1072E when evaluating compiled null-safe expression [SPR-16489] #​21032
• ClassCastException in TestDispatcherServlet [SPR-16695] #​21236

v4.3.15.RELEASE: 4.3.15 Release

Compare Source

⭐ New Features

• Spring Websockets Broker relay supporting a cluster of STOMP endpoint addresses [SPR-12452] #​17057
• Quartz Scheduler - configurable SchedulerFactory [SPR-16439] #​20985
• Avoid String concatenation for not-null assertion in BeanProperty/DirectFieldBindingResult [SPR-16455] #​21000
• AcceptHeaderLocaleResolver should match country locales against supported language locales [SPR-16457] #​21002
• Support for ResolvableType.getType().getTypeName() on Java 8 [SPR-16535] #​21078
• Consistent incrementer arrangement for PostgreSQL, DB2 and SAP HANA [SPR-16558] #​21101
• MockMvcResultMatchers.jsonPath(String).value() should have a matching method to declare the expected type [SPR-16587] #​21129
• Support for SimpleEvaluationContext in SpEL [SPR-16588] #​21130
• Consistent volatile access to running flag in Lifecycle implementations [SPR-16596] #​21137
• When @DependsOn throws a NoSuchBeanDefinitionException it should include the dependent bean for clarity [SPR-16628] #​21169
• Generate multipart boundary using SecureRandom [SPR-16635] #​21176
• Reduce ClassUtils.forName overhead (in particular for annotation introspection purposes) [SPR-16667] #​21208
• Add cpp to mime.types as text/plain [SPR-16678] #​21219

🪲 Bug Fixes

• Precondition failed for PUT methods on ResponseEntity return types [SPR-15780] #​20335
• SubProtocolWebSocketHandler should not log ERROR on "No messages received after ..." [SPR-16409] #​20955
• ServletServerHttpRequest.getURI() may throw a java.net.URISyntaxException [SPR-16414] #​20960
• AbstractClientSockJsSession.close call does not propagate IOException from disconnect [SPR-16415] #​20961
• Spurious WARNINGs when XML declared TransactionProxyFactoryBean's target bean depends on an annotation declared bean that depends on another bean [SPR-16427] #​20973
• Lambda error detection might not work on JDK 9 [SPR-16435] #​20981
• CachingConnectionFactory - Invalid session in session cache [SPR-16450] #​20995
• MockMvcRequestBuilder does not decode pathInfo [SPR-16453] #​20998
• MimeType compareTo implementation is not compatible with equals [SPR-16458] #​21003
• GSON converter only serialises fields of controller method return type, ignoring subclass fields of response object [SPR-16461] #​21006
• SimpleJdbcCall can't access synonyms in Oracle database [SPR-16478] #​21022
• Set thread interrupt flag on InterruptedException [SPR-16479] #​21023
• JsonMappingException when trying to instantiate org.springframework.messaging.Message [SPR-16486] #​21029
• Deadlock in SubProtocolWebSocketHandler on shutdown with Undertow [SPR-16488] #​21031
• NPE in Spring-JDBC with Oracle and SimpleJdbcInsert [SPR-16495] #​21038
• ExceptionHandlerExceptionResolver advice applicability check may fail against interface-based controller proxy [SPR-16496] #​21039
• FormTag renders empty
  tag [SPR-16498] #​21041
• ForwardedHeaderFilter garbles query params during sendRedirect() [SPR-16506] #​21049
• StringIndexOutOfBoundsException when rewriting links in CSS resources [SPR-16526] #​21069
• Spurious ERROR-level logging when using SSEEmitter [SPR-16528] #​21071
• GsonHttpMessageConverter cannot be used in an SseEmitter because it closes the response stream [SPR-16529] #​21072
• testBindInstantFromJavaUtilDate fails on systems in the Pacific/Auckland time zone [SPR-16534] #​21077
• WebApplicationContextFacesELResolver#isReadOnly always return false [SPR-16543] #​21086
• PostgresTableMetaDataProvider.isGetGeneratedKeysSimulated() does not detect Postgres 10 [SPR-16556] #​21099
• Missing PersistenceException cause message in refresh failure warn log [SPR-16559] #​21102
• Reading annotations in ConfigurationClassParser does not fall back to ASM on Google App Engine [SPR-16564] #​21106
• Inconsistent synchronization in AbstractBeanFactoryBasedTargetSource and JdbcAccessor [SPR-16570] #​21112
• WebAsyncManager concurrentResult should be volatile [SPR-16571] #​21113
• TransactionTemplate inherits equals()/hashCode() from DefaultTransactionDefinition [SPR-16572] #​21114
• SimpleAliasRegistry registerAlias not atomic [SPR-16577] #​21119
• URIEditor should not double escape classpath: URIs [SPR-16581] #​21123
• RestTemplate with HttpComponentsClientHttpRequestFactory and no buffering with an interceptor throws UnsupportedOperationException [SPR-16582] #​21124
• Inconsistent handling of null values through Java 8 accessors in ConcurrentReferenceHashMap [SPR-16584] #​21126
• AcceptHeaderLocaleResolver chooses wrong Locale for language match [SPR-16599] #​21140
• CallMetaDataContext.reconcileParameters doesn't catch output parameters with DatabaseMetaData.procedureColumnResult type (on Postgres) [SPR-16611] #​21152
• Consistent thread-safe iteration in DefaultSingletonBeanRegistry [SPR-16620] #​21161
• FactoryBeanRegistrySupport atomicity issues [SPR-16625] #​21166
• Address race condition within spring that causes about-to-be-created-bean exceptions [SPR-16627] #​21168
• An error occurs if a blank character exists before and after the delimiter of the MIME type parameter. [SPR-16630] #​21171
• Multipart Upload with Commons Fileupload on lazy mode downloads data on cleanup [SPR-16640] #​21181
• Concurrent result may be missed due to a race condition in MockMvc [SPR-16648] #​21189
• ServletUriComponentsBuilder should replace context path when X-Forwarded-Prefix is present [SPR-16650] #​21191
• Annotation lookup on parameter in inner class constructor fails when using javac from JDK versions prior to 9 [SPR-16652] #​21193
• UriComponentsBuilder Forwarded header parsing can throw java.lang.NumberFormatException [SPR-16660] #​21201
• NamedParameterUtils.parseSqlStatement should parse :{x} style parameter correctly [SPR-16663] #​21204
• Unable to bind a null value for UUID column with PostgreSQL [SPR-16669] #​21210
• SimpleMailMessage's handling of to/cc/bcc arrays is inconsistent [SPR-16671] #​21212
• DefaultResponseErrorHandler wastes the body of a response with an unknown status [SPR-16604] #​21145
• Race condition in ConcurrentMapCache [SPR-16533] #​21076

📔 Documentation

• Incorrect description for class-level @Transactional with AspectJ [SPR-16552] #​21095
• Doc: @Scope not inherited from base class [SPR-16602] #​21143

v4.3.14.RELEASE: 4.3.14 Release

Compare Source

⭐ New Features

• Reduce access on user in SimpleBrokerMessageHandler.handleMessageInternal [SPR-16264] #​20811
• config.enableSimpleBroker("/topic", "/queue"); Should be config.enableSimpleBroker("/topic", "queue"); [SPR-16275] #​20822
• Allow to inject enum with package visibility [SPR-16284] #​20831
• Improve performance of some string operations [SPR-16293] #​20840
• ComponentScanBeanDefinitionParser::parseTypeFilters should not fail on ClassNotFoundException [SPR-16356] #​20903
• Use ArrayList instead of LinkedList for known size [SPR-16378] #​20924

🪲 Bug Fixes

• Error in RestTemplate when setting the same HTTP header through ClientHttpRequestInterceptor and HttpEntity [SPR-15066] #​19632
• Combining @Retryable and @Scheduled/@JmsListener doesn't work [SPR-16196] #​20744
• Exception when receiving Long collection in MessageMapping [SPR-16252] #​20799
• NPE in FunctionReference due to race condition in SpelExpression.getValue() [SPR-16255] #​20802
• spring-web CORS requires X-Forwarded-Port [SPR-16262] #​20809
• Stomp Broker Relay may ignore configured destination prefixes [SPR-16265] #​20812
• Embedded cglib 3.2.5 not closing input streams that read class files [SPR-16267] #​20814
• BeanUtils.isSimpleValueType() returns false for enums overriding a method [SPR-16278] #​20825
• Unnecessary file system access in SimpleMetadataReaderFactory.getMetadataReader [SPR-16281] #​20828
• Ambiguous mapping error when using generic interface [SPR-16288] #​20835
• Programmatic creation of caching proxies using CacheProxyFactoryBean does not work [SPR-16295] #​20842
• Access-Control-Allow-Origin header returns wrong value using SockJS [SPR-16304] #​20851
• Large transaction timeout value (Integer.MAX_VALUE for example) results in transaction expiring immediately after starting. [SPR-16316] #​20863
• @JmsListener concurrency property is ignored if DefaultJmsListenerContainerFactory#concurrency is set [SPR-16338] #​20885
• JMS Producers are cached even when the destination is a temporary queue causing a memory leak [SPR-16353] #​20900
• TestExecutionListener class not found logged at INFO [SPR-16369] #​20916
• EclipseLink does not log SQL parameters when using showSql [SPR-16383] #​20929
• RestTemplate.ResponseEntityResponseExtractor doesn't tolerate unknown status codes [SPR-16371] #​20918
• MockClientHttpResponse should not return null body [SPR-16367] #​20914
• Null path after UriComponents.normalize() results in NullPointerException [SPR-16364] #​20911

📔 Documentation

• Incorrect SpEL syntax in reference documentation [SPR-16315] #​20862

v4.3.13.RELEASE: 4.3.13 Release

Compare Source

⭐ New Features

• Prevent WebSocket buffer overflow through application-level flow control [SPR-16089] #​20638
• SchedulingConfigurer and JmsListenerConfigurer should respect @Order [SPR-16090] #​20639
• Avoid temporary String creation in StringUtils.starts/endsWithIgnoreCase [SPR-16095] #​20644
• Make JpaVendorAdapters JTA-aware (in particular for Hibernate 5.1/5.2) [SPR-16162] #​20710
• Reduce access on headers for STOMP messaging [SPR-16165] #​20713
• spring-jdbc : Improve memory allocations when substituting named parameters. [SPR-16170] #​20718

🪲 Bug Fixes

• Checkbox/RadioButton incorrectly converts collections of enums with a custom converter [SPR-16082] #​20631
• @ModelAttribute binding defined globally for particular attribute rather than per method invocation [SPR-16083] #​20632
• WebSphereUowTransactionManager swallows original exception when commit fails for another reason [SPR-16102] #​20650
• Incorrectly identify bridged method on interface [SPR-16103] #​20651
• PathMatchingResourcePatternResolver returns duplicate resources when using classpath* prefix [SPR-16117] #​20665
• SpEL method invocation with varargs on proxy [SPR-16122] #​20670
• AbstractRequestExpectationManager fails with "Expectations already declared" when ResponseCreator.createResponse throws an exception [SPR-16132] #​20680
• MockHttpServletRequest with Host: set builds wrong getRequestURL() [SPR-16138] #​20686
• ClassPathResource.createRelative is using wrong ClassPathResource constructor for the returned resource [SPR-16146] #​20694
• Early ApplicationContext close call may lead to ApplicationEventMulticaster/LifecycleProcessor access exception [SPR-16149] #​20697
• When using NamedParameterJdbcTemplate, NVARCHAR or NCLOB(4000 characters or less) columns are not properly populated since StatementCreatorUtils does setString for these types instead of setNString. [SPR-16154] #​20702
• MockHttpServletResponse.getDateHeader fails with NPE for non-existing header [SPR-16160] #​20708
• NumberFormatException caused by property paths from JSR-303 based validation with no index into a collection [SPR-16177] #​20725
• Wrong byte code for compiled SpEL when JDK proxy method invocation is used [SPR-16191] #​20739
• DefaultResponseErrorHandler.hasError doesn't tolerate unknown status codes [SPR-16108] #​20656
• setArguments(null) on MethodInvoker no longer coerces null to Object[0] [SPR-16075] #​20624
• RequestMapping method returning Future with null result causes NullPointerException [SPR-16072] #​20621
• WebAsyncManager concurrency issue with SseEmitter when client disconnect [SPR-16058] #​20607

📔 Documentation

• Improve documentation of lite configuration mode [SPR-16076] #​20625
• Clarify Bean destroyMethod documentation [SPR-16078] #​20627
• Incorrect SpEL example in reference documentation [SPR-16111] #​20659
• End of first-class JDK 6 support [SPR-16185] #​20733

v4.3.12.RELEASE: 4.3.12 Release

Compare Source

⭐ New Features

• Add convenient method to construct ParameterizedTypeReference from Type [SPR-16054] #​20603
• Backport s/s/m/j/o/s/m/w/MockPart.java from 5.x to 4.3.x [SPR-15854] #​20409

🪲 Bug Fixes

• Request params Optional<List and List are inconsistent [SPR-15676] #​20235
• java.util.Optional MultipartFile[] @RequestParam argument is null in multipart/form-data POST [SPR-15918] #​20472
• only one MultipartFile object populated when using an java.util.Optional MutipartFile array or list @RequestParam [SPR-15919] #​20473
• HttpEntityMethodProcessor discards headers [SPR-15952] #​20504
• TaskExecutorRegistration.getTaskExecutor() overrides executor properties of a provided ThreadPoolTaskExecutor [SPR-15962] #​20514
• JmsMessagingTemplate is not correctly configured [SPR-15965] #​20517
• ChannelRegistration.setInterceptors is misnamed [SPR-15976] #​20527
• RestTemplate doesn't consistently tolerate unknown HTTP status codes [SPR-15978] #​20529
• PathMatchingResourcePatternResolver provides duplicate resources when using classpath* prefix combined with ant-style [SPR-15989] #​20539
• Spring EL does not allow '\0' characters [SPR-16032] #​20581
• sort BeanDefinitionRegistryPostProcessors added by other BeanDefinitionRegistryPostProcessors [SPR-16043] #​20592
• SpelExpression throws NullPointerException instead of EvaluationException for primitives [SPR-16123] #​20671

v4.3.11.RELEASE: 4.3.11 Release

Compare Source

⭐ New Features

• @Lazy collection of optional elements should not crash when no candidates are found [SPR-15858] #​20413
• WebAsyncManager should cancel task thread on timeout [SPR-15852] #​20407
• Consistent logging in Environment and PropertySource implementations [SPR-15825] #​20380

🪲 Bug Fixes

• StompDecoder Logs Null Session IDs for Heartbeats [SPR-15937] #​20491
• Error on type argument constraint validation failure [SPR-15916] #​20470
• StringIndexOutOfBoundsException from RestTemplate.doExecute IOException handler when query string is empty [SPR-15900] #​20454
• SimpleAsyncTaskExecutor not respect ConcurrencyThrottleSupport.NO_CONCURRENCY limit [SPR-15895] #​20449
• Should call getNativeResponse() instead of getNativeRequest() in FrameworkServlet [SPR-15867] #​20422
• Unable to use Hibernate Validator 4.3.2 if Bean Validation API 1.1 is on the classpath [SPR-15856] #​20411
• SimpleApplicationEventMulticaster does not deal with lambda-defined listeners when ErrorHandler is set [SPR-15838] #​20393
• spring-aspects should remain on AspectJ 1.8.9 by default (since aspectjrt 1.8.10 requires Java 7+) [SPR-15836] #​20391
• Parameter values are null when making a PUT request [SPR-15828] #​20383
• Follow-up: AbstractMethodError when calling validated method of MethodValidationPostProcessor is using a @Lazy validator [SPR-15807] #​20362
• Logs fill with broken pipe when using SockJS [SPR-15802] #​20357
• Invalid WARN when returning a BeanDefinitionRegistryPostProcessor from within a @Configuration class [SPR-14603] #​19172

v4.3.10.RELEASE: 4.3.10 Release

Compare Source

⭐ New Features

• Ignore (Auto)Closeable for interface-based proxy decision [SPR-15779] #​20334
• Bean factory method collision with configuration class name gives unclear error message [SPR-15775] #​20330
• CustomizableTraceInterceptor should allow INVOCATION_TIME placeholder in setExceptionMessage and make stack trace logging configurable [SPR-15763] #​20318
• LinkedCaseInsensitiveMap cannot access locale from subclass [SPR-15752] #​20307
• ForwardedHeaderFilter should expose option for not converting relative redirects to absolute ones [SPR-15717] #​20273
• AbstractValueAdaptingCache does not allow for flexible null value serialization [SPR-15693] #​20252
• Fine-tune HTTP/RMI Invoker exception handling [SPR-15684] #​20243
• Support CachingHttpAsyncClient from httpasyncclient-cache in HttpComponentsAsyncClientHttpRequestFactory [SPR-15664] #​20223
• Cron expression validation method in CronSequenceGenerator improved [SPR-15604] #​20163
• Upgrade to Objenesis 2.6 for Google App Engine Standard on Java 8 and for better JDK 9 support [SPR-15600] #​20159

🪲 Bug Fixes

• UriUtils.extractFileExtension() does not properly handle all fragments [SPR-15786] #​20341
• PropertyOrFieldReference invalidly reuses cached PropertyAccessor [SPR-15769] #​20324
• ClassCastException during deserialization of ScopedObject [SPR-15766] #​20321
• AbstractJackson2HttpMessageConverter throws exception if log level is ERROR [SPR-15760] #​20315
• ReflectionTestUtils accidentally requires spring-aop on the classpath [SPR-15757] #​20312
• MockMvc duplicates PUT Parameter value [SPR-15753] #​20308
• JSP tags doesn't pick up JSTL-defined time zone at page level [SPR-15746] #​20302
• JMS Integration with Tibco causes deadlock while using DefaultMessageListenerContainer [SPR-15738] #​20294
• Memory Leak due to not pruning factoryBeanObjectCache when closing the ApplicationContext [SPR-15722] #​20278
• WebAsyncManager is not compatible with the crosscontext mode [SPR-15709] #​20266
• Netty4ClientHttpRequest does not include port along with host [SPR-15706] #​20263
• @EventListener's 'condition' doesn't work as expected with proxied beans [SPR-15678] #​20237
• SimpleRequestExpectationManager fails with sequential calls with different count [SPR-15672] #​20231

v4.3.9.RELEASE: 4.3.9 Release

Compare Source

⭐ New Features

• ForwardedHeaderFilter should provide option to "remove" forwarded headers without using them [SPR-15610] #​20169
• Optimize DefaultUserDestinationResolver.resolveDestination() [SPR-15602] #​20161
• Inefficient use of keySet operators in messaging classes [SPR-15553] #​20112
• Increase log level in ExceptionWebSocketHandlerDecorator [SPR-15537] #​20096
• UriComponentsBuilder's fromHttpRequest uses server port as host port when handling the Forwarded header [SPR-15504] #​20063
• Also clear SerializableTypeWrapper when ResolvableType cache is cleared [SPR-15503] #​20062
• Defer StringHttpMessageConverter Charset.availableCharsets() call [SPR-15502] #​20061
• Allow for HttpOnly cookie result matcher [SPR-15488] #​20048
• Add getTargetCache to TransactionAwareCacheDecorator [SPR-15479] #​20039
• Optimize AntPathMatcher when checking for potential matches [SPR-15477] #​20037
• Lazily initialize Environment in GenericFilterBean (aligned with HttpServletBean) [SPR-15469] #​20029
• Honor @Autowired(required=false) at parameter level, as an alternative to java.util.Optional [SPR-15268] #​19833

🪲 Bug Fixes

• AbstractMethodError when calling validated method of MethodValidationPostProcessor is using a @Lazy validator [SPR-15629] #​20188
• Poor diagnostics when Jackson cannot deserialise an application/json payload due to a missing deserialiser [SPR-15582] #​20141
• Consistently accept "taskExecutor" bean of type Executor (as stated in @EnableAsync's javadoc) [SPR-15566] #​20125
• LocalValidatorFactoryBean does not support unwrap for native ValidatorFactory [SPR-15561] #​20120
• Multipart range requests leave file handles open [SPR-15559] #​20118
• o/s/mail/javamail mime.types has duplicate image/jpeg entries [SPR-15557] #​20116
• ResourceUtils.extractArchiveURL fails to work under Tomcat 8.0.41 with unpackWARs=false [SPR-15556] #​20115
• o/s/mail/javamail mime.types PNG mapped to image/x-png [SPR-15546] #​20105
• DefaultSubscriptionRegistry should prevent duplicate subscription id in accessCache [SPR-15543] #​20102
• WebJarsResourceResolver: multiple matches in case of multiple files with the same name in the same webjar [SPR-15526] #​20085
• HandlerExecutionChain toString() may miss interceptors [SPR-15525] #​20084
• "Not a setter" exception cannot be be thrown in Property.java [SPR-15507] #​20066
• AbstractFlashMapManager.isFlashMapForRequest does not inspect forwarded request coherently [SPR-15505] #​20064
• Deceptive error message in Spring Test ModelResultMatchers [SPR-15487] #​20047
• Last modified check of Resource created from Tomcat war:file: URL fails with FileNotFoundException [SPR-15485] #​20045
• AnnotationUtils.getValue() may hide relevant errors [SPR-15481] #​20041

📔 Documentation

• Improve docs around the use of "Forwarded" and "X-Forwarded-*" headers [SPR-15612] #​20171
• What's new section in 4.3.x reference should have introductory paragraphs [SPR-15585] #​20144
• Doc: Typo in ResponseBodyAdvice class description [SPR-15466] #​20026

v4.3.8.RELEASE: 4.3.8 Release

Compare Source

⭐ New Features

• Make SessionLocaleResolver's attribute name configurable [SPR-15450] #​20011
• Add constructor to ShadowingClassLoader to create an instance without default excludes [SPR-15439] #​20000
• Improve performance of StringUtils.replace() if pattern is not found [SPR-15430] #​19991
• Revise AcceptHeaderLocaleResolver default locale handling [SPR-15426] #​19987
• Minimize reflective interaction with annotation instances during retrieval [SPR-15387] #​19950
• Spring JDBC not correctly processing Postgresql ?| and ?& operator [SPR-15382] #​19945
• Make it easier to see the HTTP headers when debugging MockMvc-based tests [SPR-15375] #​19939
• GenericCallMetaDataProvider should not treat 'NULLABLE' column as boolean (for compatibility with latest Postgres driver) [SPR-15333] #​19896
• DefaultResponseErrorHandler should have its methods protected [SPR-15329] #​19892
• JRubyScriptFactory compatibility with JRuby 9.1.7+ [SPR-15322] #​19885
• Support for HtmlUnit 2.25+ [SPR-15319] #​19882
• Support for @Lookup methods within @Configuration classes [SPR-15316] #​19879
• sockjs heartbeat failure logged at ERROR level [SPR-15307] #​19871
• Session-scoped bean should have its state propagated to the HttpSession at the end of its initial request (even without further access) [SPR-15300] #​19865
• StandardMultipartFile.transferTo should fall back to manual copy if Part.write doesn't support absolute locations (e.g. on Jetty) [SPR-15257] #​19822
• Avoid re-retrieval of @ResponseStatus annotation for each request [SPR-15227] #​19792

🪲 Bug Fixes

• ApplicationListener potentially invoked twice in circular reference with proxy [SPR-15452] #​20013
• When setting spring.freemarker.template-loader-path to an s3 bucket, the SpringTemplateLoader is not selected [SPR-15445] #​20006
• AbstractRecursiveAnnotationVisitor can't access a package protected enum value [SPR-15442] #​20003
• UnknownHostException not accepted as "resource not found" anymore [SPR-15433] #​19994
• ForwardedHeaderFilter.ForwardedHeaderRequestWrapper does not preserve ; [SPR-15428] #​19989
• ForwardedHeaderRequestWrapper should return a new StringBuffer instance on each invocation of the getRequestURL method [SPR-15423] #​19984
• ForwardedHeaderFilter.ForwardedHeaderRequestWrapper does not preserve encoding of requestURI [SPR-15422] #​19983
• UrlResource getFilename should not contain query parameters [SPR-15411] #​19974
• SettableListenableFuture setException is inconsistent with callbacks under race [SPR-15409] #​19972
• NullPointerException can happen in HttpRequestMethodNotSupportedException.getSupportedHttpMethods() [SPR-15377] #​19941
• VersionResourceResolver does not delegate path resolution to the chain [SPR-15372] #​19936
• PathMatchingResourcePatternResolver fails to work under Tomcat 8.0.41 with unpackWARs=false [SPR-15332] #​19895

📔 Documentation

• Cache Abstraction: Improve unless condition with optional [SPR-15449] #​20010
• SpEL examples in chapter "Cache Abstraction" [SPR-15448] #​20009
• [doc] Update @ControllerAdvice Javadoc to discuss ordering [SPR-15432] #​19993

v4.3.7.RELEASE: 4.3.7 Release

Compare Source

⭐ New Features

• Skip transaction/caching metadata retrieval for java.lang.Object methods [SPR-15296] #​19861
• MessageHeaderAccessor's MutableMessageHeaders should be serializable [SPR-15262] #​19827
• Consistently support CompletionStage next to CompletableFuture [SPR-15258] #​19823
• Database.SQL_SERVER should set more recent Hibernate dialect with Spring 4.3.x [SPR-15255] #​19820
• Allow configuring the ContentNegotiationManager in MockMVC standalone controller setup [SPR-15248] #​19813
• DefaultSubscriptionRegistry should prevent duplicate Subscriptions per subscription id [SPR-15229] #​19794
• Log failures to load PropertySources when ignoreResourceNotFound = true [SPR-15218] #​19783
• Support for read-only transactions with Oracle 12c JDBC driver [SPR-15210] #​19774
• TransactionSynchronizationManager - throw an Exception or log a warning if a Synchronization wants to add a Synchronization and afterCompletion is already called [SPR-11590] #​16214

🪲 Bug Fixes

• @Configuration processing fails to handle AbstractFactoryBean.getObject() calls [SPR-15275] #​19840
• HEAD response has "Content-Length: 0" for @RestController @GetMapping methods [SPR-15261] #​19826
• RestTemplate with MockMvcClientHttpRequestFactory double encodes URIs [SPR-15254] #​19819
• RestTemplate with Netty produces two Content-Length headers [SPR-15241] #​19806
• MockHttpServletRequest.protocol default should be "HTTP/1.1", not "http" [SPR-15232] #​19797
• DispatcherServlet's multipart request parsing fails during Jetty error dispatch [SPR-15231] #​19796
• SettableListenableFuture may be successfully set with failureCallback executed and success callback ignored [SPR-15216] #​19781
• MockHttpServletRequest.getReader() returns null in case of no content [SPR-15215] #​19780
• Principal check in ServletRequestMethodArgumentResolver can result in type mismatches [SPR-15214] #​19779
• HTTP Response should not contain both Transfer-Encoding and Content-Length headers [SPR-15212] #​19776
• SettableListenableFuture may be both set and canceled successfully [SPR-15202] #​19766
• Spring does not clean up db connection registered in afterCompletion callback [SPR-15194] #​19759
• SpelCompiler VerifyError - Incompatible argument to function [SPR-15192] #​19758
• If backing Cache is down @CacheResult does not seamlessly call method (in contrast to @Cacheable) [SPR-15188] #​19754
• InterceptingClientHttpRequest replaces headers set in request fa

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.