Skip to:
Upgrade Spring Boot from 3.2.3 to 3.3.7.
Note that OSS support for Spring Boot 3.2.x has ended 2024-11-23: https://spring.io/projects/spring-boot#support
Note that Ramsons requires Spring Boot 3.3.x: https://folio-org.atlassian.net/wiki/spaces/TC/pages/5058042/Ramsons#Ramsons-ThirdPartyLibraries/Frameworks
The Spring Boot upgrade indirectly upgrades kafka-clients from 3.6.1 to 3.7.2 fixing
https://www.cve.org/CVERecord?id=CVE-2024-56128 Incorrect Implementation of Authentication Algorithm
https://www.cve.org/CVERecord?id=CVE-2024-31141 Files or Directories Accessible to External Parties
Upgrade minio client from 8.5.9 to 8.5.15.
Upgrade folio-spring-base from 8.2.0 to 8.2.2.
The minio upgrade and the folio-spring-base upgrade indirectly upgrade bcprov-jdk18on from 1.77 to 1.78.1 fixing
https://www.cve.org/CVERecord?id=CVE-2024-30172 Infinite loop
https://www.cve.org/CVERecord?id=CVE-2024-30171 Observable Discrepancy
https://www.cve.org/CVERecord?id=CVE-2024-29857 Allocation of Resources Without Limits or Throttling
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade spring-webmvc from 6.1.4 to 6.1.16 fixing
https://www.cve.org/CVERecord?id=CVE-2024-38816 Path Traversal
https://www.cve.org/CVERecord?id=CVE-2024-38819 Path Traversal
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade tomcat-embed-core from 10.1.19 to 10.1.34 fixing
https://www.cve.org/CVERecord?id=CVE-2024-38286 Allocation of Resources Without Limits or Throttling
https://www.cve.org/CVERecord?id=CVE-2024-34750 Insufficient Session Expiration
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade spring-web from 6.1.4 to 6.1.16 fixing
https://www.cve.org/CVERecord?id=CVE-2024-22259 Open Redirect
https://www.cve.org/CVERecord?id=CVE-2024-38809 Denial of Service (DoS)
Upgrade aws s3 client from 2.25.13 to 2.29.47. This indirectly upgrades netty-codec-http from 4.1.107.Final to 4.1.116.Final fixing
https://www.cve.org/CVERecord?id=CVE-2024-29025 Allocation of Resources Without Limits or Throttling
Upload files with identifiers in “Bulk edit“ app verified for all record types (Instances, Holdings, Items, Users) on OKAPI, Eureka bugfest environments, works as expected
Upgrade Spring Boot from 3.2.3 to 3.3.7.
Note that OSS support for Spring Boot 3.2.x has ended 2024-11-23: https://spring.io/projects/spring-boot#support
Note that Ramsons requires Spring Boot 3.3.x: https://folio-org.atlassian.net/wiki/spaces/TC/pages/5058042/Ramsons#Ramsons-ThirdPartyLibraries/Frameworks
The Spring Boot upgrade indirectly upgrades kafka-clients from 3.6.1 to 3.7.2 fixing
https://www.cve.org/CVERecord?id=CVE-2024-56128 Incorrect Implementation of Authentication Algorithm
https://www.cve.org/CVERecord?id=CVE-2024-31141 Files or Directories Accessible to External Parties
Upgrade minio client from 8.5.9 to 8.5.15.
Upgrade folio-spring-base from 8.2.0 to 8.2.2.
The minio upgrade and the folio-spring-base upgrade indirectly upgrade bcprov-jdk18on from 1.77 to 1.78.1 fixing
https://www.cve.org/CVERecord?id=CVE-2024-30172 Infinite loop
https://www.cve.org/CVERecord?id=CVE-2024-30171 Observable Discrepancy
https://www.cve.org/CVERecord?id=CVE-2024-29857 Allocation of Resources Without Limits or Throttling
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade spring-webmvc from 6.1.4 to 6.1.16 fixing
https://www.cve.org/CVERecord?id=CVE-2024-38816 Path Traversal
https://www.cve.org/CVERecord?id=CVE-2024-38819 Path Traversal
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade tomcat-embed-core from 10.1.19 to 10.1.34 fixing
https://www.cve.org/CVERecord?id=CVE-2024-38286 Allocation of Resources Without Limits or Throttling
https://www.cve.org/CVERecord?id=CVE-2024-34750 Insufficient Session Expiration
The Spring Boot upgrade and the folio-spring-base upgrade indirectly upgrade spring-web from 6.1.4 to 6.1.16 fixing
https://www.cve.org/CVERecord?id=CVE-2024-22259 Open Redirect
https://www.cve.org/CVERecord?id=CVE-2024-38809 Denial of Service (DoS)
Upgrade aws s3 client from 2.25.13 to 2.29.47. This indirectly upgrades netty-codec-http from 4.1.107.Final to 4.1.116.Final fixing
https://www.cve.org/CVERecord?id=CVE-2024-29025 Allocation of Resources Without Limits or Throttling