Comment From: chadlwilson
Is a backport of this being considered to the 2.3 branch, given https://nvd.nist.gov/vuln/detail/CVE-2020-10687 has no 2.1.x fix currently?
Alternatively, users can override the dependency management to do an earlier upgrade. The upgrade looks relatively harmless as far as I can see.
Comment From: snicoll
Is a backport of this being considered to the 2.3 branch
@chadlwilson As indicated on the wiki, we only upgrade third party at the patch level for any given Spring Boot patch release. Please reach out to the Undertow team if they'd consider backporting the CVE fix.
As you've mentioned, overriding dependency management is the way to go otherwise. This is covered in the documentation for both Maven and Gradle.
Comment From: chadlwilson
Fair enough, thanks.