I could see how "Upgrade to Spring Framework 5.3.14" happened for 2.6.2 and 2.5.8 , but not for 2.4 . Latest 2.4 is 2.4.13 and still has "Spring Framework 5.3.13" , which is causing pipelines to fail due to CVE-2021-22060 . Could you please include security fix in 2.4 ?

Comment From: wilkinsona

Open source support for Spring Boot 2.4.x ended in November 2021. Please upgrade to 2.5.x or 2.6.x as soon as possible.

If, for some reason, you are stuck on 2.4.x, you can upgrade to Spring Framework 5.3.14 using the spring-framework.version property.

Comment From: strowk

Ah, I tried spring.version , that did not work. Thanks for suggestion. This extra["spring-framework.version"] = "5.3.14" seems to work.

We tried updating to 2.5, but this causes a lot of errors and we do not have several days to fix it at the moment. Some of them are not clear how to fix at all.

Comment From: wilkinsona

If you have problems upgrading from Spring Boot 2.4 to 2.5 that aren't covered in the release notes then please let us know and we'll do our best to help you.

Comment From: strowk

We were using https://github.com/rio-cloud/mock-auth-server to locally test some auth stuff. That stopped working with upgrade to SB 2.5. There had been several tries to figure out what is causing this, but so far no luck. Seems to be something about threading, cause we get socket timeouts and I think that somehow we get deadlock with client blocked waiting for server and server locked waiting until thread would be available (I think). I did not dig very deep, since I never have time for this :( We'll probably end up removing that stuff. I'm kinda surprized that 2.4 -> 2.5 upgrade is causing issues like this, it is supposed to be backward compatible, right? Assuming here that semantic versioning is followed.

Sorry for necroposting, but I keep hitting into this unability to upgrade to 2.5 each time I get another vulnerability

Comment From: wilkinsona

I've never used mock-auth-server and know almost nothing about it. A quickly look at its dependencies shows some overlap with things that are managed by Spring Boot's dependency management. In the area of socket timeouts, the most likely is probably Jetty but both Boot 2.4 and 2.5 use Jetty 9.4.x so that may not be it after all. I do think that the cause is likely to be a dependency upgrade that's triggered by the move to Boot 2.5 rather than Boot itself but we'd need a lot more information to prove or disprove that theory.