Whether the 5.3 branch is planned to fix CVE-2016-1000027 vulnerabilities in 5.3.39?

[chengyouling]

Hello, Currently, the latest JDK8 version 5.3.39 still has vulnerabilities. Can the open source community release a new 5.3.x version to fix the vulnerabilities so that JDK8 can be used?

ths, look forward to your reply.

[bclozel]

CVE-2016-1000027 is a well-known false positive, please read this issue comment.

Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828).

Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance.

Thanks!

[chengyouling]

@bclozel

Will the fixed version be released to the Maven repository later?

ths.

[bclozel]

No, we don't release commercial versions to Maven Central.

[chengyouling]

@bclozel

So, is the 5.3.x branch EOM? Except for the commercial version, there no longer hava new release maintained for JDK8?

thanks.

[bclozel]

The 5.3.x generation has been commercial only for almost two years at this point. Everything is well explained on our support page. I don't know how to provide more information here, besides repeating my previous comment.

[chengyouling]

Ok, Thank you!