[We're working on upgrading from (heavily backported-patched) CAS 6.1 to something supported by the OS project. In the meantime....]
We know our CAS 6.1 system is using SpringFramework 5.2.0 but is not directly vulnerable to the CVE-2022-22965 (not deployed as a .war in Tomcat). Nevertheless, we would like to start testing a SpringFramework upgrade to avoid future ways of reaching the vulnerability. The normal way would be to change our SpringBoot dependency, but CAS6.1 uses SB2.2.4 and moving it to SB2.5.12 seems like a BIG jump. The SpringFramework upgrade from 5.2.0 to 5.2.20 seems preferable given it stays within the 5.2 release. To try to accomplish a SpringFramework upgrade, we've tried "springVersion=5.2.20" in gradle.properties, but the resulting project still seemed to be using 5.2.0. Does anyone have advice on how to proceed? -Upgrade SpringBoot from 2.2.4 to 2.5.12 (easy to do, worried it isn't likely to work) -Upgrade SpringFramework from 5.2.0 --> 5.2.20 (we don't know how to do this) -Something else? Thank you, Bert Bee-Lindgren -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ee5d0d05-cf64-42e4-b3bd-7a65dd63f44en%40apereo.org.
