Affects: 5.3.2, Spring framework has the bouncy castle as a dependency library whose issue is registered as a CVE The vulnerability has already patched on version 1.6.7 whereas Spring remains in 1.6.6 and I couldn't find any issue or PR mentioning it so I raise an issue here.
Comment From: bclozel
Spring Framework doesn't require this dependency nor ship any optional support for it. It is merely used for our integration tests here.
We'll upgrade this version in due course. Note that this CVE is not effective here since we're not using this feature against user data nor in production anywhere.
In the future, if you believe you've found a security issue, please report it responsibly here as noted in the issue template.