Still latest undertow version is not yet included in spring boot release. We are getting vulnerabiities reported in undertow version being used in spring boot. Can we upgrade undertow version alone in our project and use ?
Comment From: bclozel
From your comment, it's not clear which Undertow version you would like to use with Spring Boot.
Undertow 2.3.16.Final has been published 4 days ago, we should upgrade to it in the next maintenance releases.
We did skip the previous 2.3.14.Final and 2.3.15.Final versions because they contained regressions, see https://issues.redhat.com/browse/UNDERTOW-2420. This is still not resolved at this time.
Feel free to override the dependency version in your build file, if the regression is not a problem for your application.
Comment From: haliyar
Thank you @bclozel .. I intended to ask for the undertow version 2.3.14 only. We are waiting for spring boot to include the latest undertow version. As spring boot itself did not include the undertow version 2.3.14, we are hesitant to include it explicitly to avoid unexpected issues. Can we expect, the next spring boot upgrade would pack the latest undertow version?
Comment From: philwebb
@haliyar I suspect we might need to hold off again since https://issues.redhat.com/browse/UNDERTOW-2420 has not yet been fixed. We'll discuss options nearer the time of the release.