[ 
https://issues.apache.org/jira/browse/SM-5853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048771#comment-18048771
 ] 

Geoff Denning commented on SM-5853:
-----------------------------------

Here's the process I followed to create the patch:
 # Copied each `spring-*-6.2.8` folder to a corresponding `spring-*-6.2.15` 
folder.
 # Updated pom version to `6.2.15_1-SNAPSHOT`.
 # Updated `pkgVersion` (if present) to `6.2.15`.
 # Updated `servicemix.osgi.source.version` to `6.2.15.1`.
 # Made a few minor whitespace improvements.

Additionally, I made some minor changes to `servicemix.osgi.import.pkg` in some 
modules:
 * Updated `org.aspectj.*` package import versions from `[1.8.6,3)` or 
`[1.8,3)` to `[1.9,3)` since Spring 6.2.x appears to depend on version 1.9.22: 
[https://github.com/spring-projects/spring-framework/blob/c89c4ac6144ca58221d0bc78d9b16b38d60d1691/framework-platform/framework-platform.gradle#L109]
 * Updated `org.hibernate.validator.*` package import versions from `[4,7)` to 
`[7,8)` since Spring 6.2 appears to depend on version 7.0.5.Final: 
[https://github.com/spring-projects/spring-framework/blob/c89c4ac6144ca58221d0bc78d9b16b38d60d1691/framework-platform/framework-platform.gradle#L130]
 * Updated `net.sf.ehcache.*` package import versions from `[2,4)` to `[3,4)` 
since Spring 6.2 appears to depend on version 3.10.8: 
[https://github.com/spring-projects/spring-framework/blob/c89c4ac6144ca58221d0bc78d9b16b38d60d1691/framework-platform/framework-platform.gradle#L121]
 * Updated `org.apache.log4j.*` package import versions from [1.2.15,3)` to 
`[2,3)` since Spring 6.2 appears to depend on version 2.21.1: 
[https://github.com/spring-projects/spring-framework/blob/c89c4ac6144ca58221d0bc78d9b16b38d60d1691/framework-platform/framework-platform.gradle#L17]
 - I'm actually relatively confident that these imports can be removed 
entirely, but I left them there for safety.
 * Updated `joptsimple` package import version from `[4,6)` to `[5,6)` since 
Spring 6.2 appears to depend on version 5.0.4: 
[https://github.com/spring-projects/spring-framework/blob/c89c4ac6144ca58221d0bc78d9b16b38d60d1691/framework-platform/framework-platform.gradle#L91]

The differences are hard to see in the patch since the poms are in new folders, 
so I created this patch showing the differences between the 6.2.8 pom.xml and 
corresponding 6.2.15 pom to visualize the changes. NOTE: This is for viewing 
only, don't try to apply this: [^spring-6.2.8-to-spring-6.2.15.diff]

For testing, I verified that all modules compile successfully, and I tested 
most of the bundles with our OSGi application that currently uses the Spring 
6.2.8 Servicemix bundles in Felix. All services started successfully and all 
automated regression tests passed.

Here's the patch: [^SM-5853.diff]

> Create OSGi bundles for Spring 6.2.15
> -------------------------------------
>
>                 Key: SM-5853
>                 URL: https://issues.apache.org/jira/browse/SM-5853
>             Project: ServiceMix
>          Issue Type: Dependency upgrade
>          Components: bundles
>            Reporter: Geoff Denning
>            Priority: Minor
>         Attachments: SM-5853.diff, spring-6.2.8-to-spring-6.2.15.diff
>
>
> The current 6.2.8 version (see SM-5836) has two vulnerabilities:
> [CVE-2025-41242|https://nvd.nist.gov/vuln/detail/CVE-2025-41242] (CVSS3 score 
> 5.9) raised on 2025-08-18.
>  * Upgrade to version org.springframework:spring-beans:6.2.10
>  * Upgrade to version 
> [https://github.com/spring-projects/spring-framework.git] - v6.2.10
> [CVE-2025-41249|https://nvd.nist.gov/vuln/detail/CVE-2025-41249] (CVSS3 score 
> 7.5) raised on 2025-09-16.
>  * Upgrade to version org.springframework:spring-core:6.2.11
>  * Upgrade to version 
> [https://github.com/spring-projects/spring-framework.git] - v6.2.11
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to