Announcing atlassian-connect-spring-boot 2.0.6

epehrson · May 4, 2020, 1:48pm

Hi,

version 2.0.6 of atlassian-connect-spring-boot is now available via Maven Central. This release includes the fix for a security issue introduced in the upgrade to Spring Boot 2.0. This extract from the project changelog summaries the recent incremental releases.

2.0.6 - 2020-05-04

ACSPRING-108 Disable session cookies

2.0.5 - 2020-04-08

ACSPRING-107 Enable configuring paths that require JWT authentication

2.0.4 - 2020-03-02

ACSPRING-106 Upgrade to Spring Boot 2.2.4
ACSPRING-105 Use atlassian.com URL for OAuth 2.0 JWT authorization server

2.0.3 - 2019-12-17

ACSPRING-101 Error installing app with Jackson configured to reject additional properties
ACSPRING-102 Set Referrer-Policy response header by default

2.0.2 - 2019-11-22

ACSPRING-98 Upgrade to Spring Security OAuth2 2.4
ACSPRING-100 Upgrade to Spring Boot 2.2

2.0.1 - 2019-08-30

ACSPRING-97 Load all.js from CDN instead of from host product

boris · May 4, 2020, 3:01pm

Awesome! Prototype Pollution in lodash | CVE-2020-8203 | Snyk got identified last week, will there be an ACE upgrade related to this as well?

epehrson · May 4, 2020, 3:35pm

@boris that is rather off-topic

But both Snyk and the vulnerability scanning tool that Atlassian uses show that the vulnerability you mention has not yet been fixed in the latest version of lodash.

sven.schatter · May 4, 2020, 4:05pm

Thanks for posting this here @epehrson!