Skip to content

fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security]#2938

Closed
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/springldapversion
Closed

fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security]#2938
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/springldapversion

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.springframework.ldap:spring-ldap-core (source) 2.3.4.RELEASE2.4.4 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Spring LDAP data exposure vulnerability

CVE-2024-38829 / GHSA-mqvr-2rp8-j7h4

More information

Details

A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

spring-projects/spring-ldap (org.springframework.ldap:spring-ldap-core)

v2.4.4

Compare Source

New Features

  • Specify Locale in Case Functions #​965

Dependency Upgrades

  • Update to Spring Security 5.8.15 #​962
  • Update to SLF4J 1.7.36 #​961
  • Update to Hibernate 5.6.15 #​960
  • Update to Freemarker 2.3.33 #​959
  • Update to Apache HttpClient 4.5.14 #​958
  • Update to AspectJ 1.9.22.1 #​957
  • Update to Jackson 2.13.4 #​956
  • Update to Spring Data 2021.1.10 #​955
  • Update to Spring Framework 5.3.39 #​954

v2.4.2

Compare Source

New Features

  • Document how DnAttriubte name and index are mutually exclusive #​941
  • Remove from Jenkins CI #​918

Bug Fixes

  • java.lang.reflect.UndeclaredThrowableException with spring-ldap-core 2.3.2.RELEASE and above #​939

v2.4.1

Compare Source

🪲 Bug Fixes

  • Wrong Project Information in Maven POM (2.4.0) #​663

🔨 Dependency Upgrades

  • Update to Spring Framework 5.3.21 #​673
  • Update to Jackson 2.13.3 #​672
  • Update to unboundid-ldapsdk 6.0.5 #​671
  • Update to AspectJ 1.9.9.1 #​670
  • Update to EasyMock 2.5.2 #​669
  • Update to FreeMarker 2.3.31 #​668
  • Update to Hibernate 5.6.9.Final #​667
  • Update to hsqldb 2.6.1 #​666
  • Update to Spring Security 5.6.5 #​665

v2.4.0

Compare Source

⭐ New Features

  • The package org.springframework.ldap.core is split #​632

🪲 Bug Fixes

  • 2.4 requires Jakarta EE 9 #​639
  • NullPointerException thrown if principal or credentials are null #​538

🔨 Dependency Upgrades

  • Update Gradle to 7.4.2 #​652
  • Update org.springframework.security to 5.6.3 #​651
  • Update build-info-extractor-gradle to 4.28.2 #​650
  • Update commons-pool2 to 2.11.1 #​649
  • Update servlet-api to 4.0.1 #​648
  • Update spring-io-plugin to 0.0.8.RELEASE #​647
  • Update gradle-nexus-staging-plugin to 0.30.0 #​646
  • Update unboundid-ldapsdk to 6.0.4 #​645
  • Update gradle-versions-plugin to 0.36.0 #​644
  • Update logback-classic to 1.2.11 #​643
  • Update to Spring Data 2021.1.4 #​642
  • Update to JUnit 5.8.2 #​641
  • Update to Spring Framework 5.3.19 #​640

v2.3.8.RELEASE

🪲 Bug Fixes

  • NullPointerException thrown if principal or credentials are null #​658

v2.3.6.RELEASE

Compare Source

⭐ New Features

  • Failed to read schema document ".../spring-repository.xsd" #​627

🪲 Bug Fixes

  • LdapTemplate.find method is NOT taking the attributesToReturn from LdapQuery #​622
  • Fixed debug log format strings #​619
  • LDAP connection not closed due to DefaultDirContextValidator #​618

v2.3.5.RELEASE

Compare Source

⭐ New Features

  • Isolate DatatypeConverter Usage #​590

🪲 Bug Fixes

  • Fix duplicate typos in docs and exception message #​597
  • Fix Example 13 in documentation #​587
  • Error in documentation code #​584

🔨 Dependency Upgrades

  • Update to Easymock 2.5.2 #​606
  • Update to Freemarker 2.3.31 #​605
  • Update to Spring Security 4.2.20.RELEASE #​604
  • Update to Hibernate 5.2.18.Final #​603
  • Update to Powermock 1.6.6 #​602
  • Update to Slf4J 1.7.32 #​601
  • Update to Spring 4.3.30.RELEASE #​600

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@bjagg bjagg mentioned this pull request Apr 27, 2026
Merged
3 tasks
bjagg added a commit that referenced this pull request Apr 27, 2026
@bjagg
chore: pin Spring/Hibernate majors in renovate config (#2948)
f81e756 
Problem: Renovate keeps opening major-bump PRs (Spring 5/6, Spring
Security 5+, Hibernate 5+) because the Maven Central versions newer
than what we pin in gradle.properties show up as available, and
[security] flags in those PRs amplify the noise. Each major is a
coordinated migration we are not ready for, and we close them by hand
every cycle. Recent examples: #2937, #2940, #2941, #2942.

Goal: encode the migration constraints in renovate.json so Renovate
stops offering majors that won't be merged. Stays consistent with the
same pinning pattern applied across the portlet repos in the recent
sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet,
NotificationPortlet, etc.).

Changes:
- renovate.json: add three packageRules entries with allowedVersions
  - org.springframework:* / .data:* / .webflow:* → < 5.0
    (Spring 5+ requires a coordinated API migration; Spring 6+ adds
     Jakarta EE + Java 17 on top.)
  - org.springframework.security:* / .oauth:* → < 5.0
    (Bound to the Spring Framework 4.3.x line; moves in lockstep.)
  - org.hibernate:* / org.hibernate.orm:* → < 5.0
    (Hibernate 5+ has API + EntityManager changes; 6+ renames the
     groupId and needs Jakarta EE + Java 17.)

Notes: did not pin Spring LDAP (2.x is current line, 2.4.4 bump in
#2938 is a minor), Springfox (2.10.0 bump in #2935 is also a minor),
or Guava (#2939 to v32 is plausible — resource-server already runs
guava 32). These can flow through normally.

Closes #2937, #2940 (duplicates).
Closes #2941, #2942 (won't migrate this release).

Refs #2938, #2935, #2939 (allowed to proceed normally).
@renovate renovate Bot changed the title fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security] fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/springldapversion branch April 27, 2026 18:24
@bjagg

bjagg commented Apr 27, 2026

Copy link
Copy Markdown
Member

@renovatebot rebase

Triggering a rebase + fresh CI run. Master has moved since this was last tested (most relevantly #2944 which excluded Spring transitives elsewhere). If the TransactionManager/PlatformTransactionManager compile error reappears, we'll skip this for the v5.17.3 cut.

@renovate renovate Bot changed the title fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security] - autoclosed fix(deps): update dependency org.springframework.ldap:spring-ldap-core to v2.4.4 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/springldapversion branch 2 times, most recently from 9ed79db to 3f7b803 Compare April 27, 2026 20:27
@bjagg

bjagg commented Apr 27, 2026

Copy link
Copy Markdown
Member

Closing — spring-ldap 2.4.x transitively pulls in a newer Spring core where TransactionManager was added as a parent of PlatformTransactionManager, breaking uPortal-spring/.../TransactionManagerCachingTransactionInterceptor.java. Adopting this requires either a Spring transitive exclusion on spring-ldap or updating the TX interceptor to accept the broader interface. Reopen as a code-change PR if/when we tackle that.

@bjagg bjagg closed this Apr 27, 2026
@renovate

renovate Bot commented Apr 27, 2026

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (2.4.4). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bjagg