The built-in handling of resources in Spring MVC and WebFlux gets updated occasionally, but the functional programming model hasn't stayed up-to-date. Those should be functionally equivalent where it makes sense.
Comment From: drdpov
Hello @rstoyanchev, hope you are doing well. I've come across this PR and noticed, that there is one minor issue. I've created a PR, which should resolve it, could you please take a look? https://github.com/spring-projects/spring-framework/pull/33568
Comment From: lucky8987
@drdpov Hello, as we currently have no plans to upgrade to version 6.1. x, this issue has triggered a high-risk vulnerability: https://spring.io/security/cve-2024-38816 Can you fix those issues specifically for version 5.3.39?
Comment From: bclozel
@lucky8987 all CVE fixes are already backported to 5.3.x, see our announcement blog post and the advisory you've linked to. 5.3.x is not OSS supported anymore so you'll have to upgrade to a newer generation or consider commercial support.
Comment From: lucky8987
@lucky8987 all CVE fixes are already backported to 5.3.x, see our announcement blog post and the advisory you've linked to. 5.3.x is not OSS supported anymore so you'll have to upgrade to a newer generation or consider commercial support.
I understand, thanks !
Comment From: luckymanbuddha
@bclozel Hello, I would like to ask if CVE-2024-38819 is the same as CVE-2024-38816 can use Tomcat or Jetty as the web server to reject such malicious requests? Thank you.
Comment From: bclozel
@luckymanbuddha I believe the Spring Security firewall will protect against those, but not Tomcat nor Jetty.