-
released this
2026-05-10 11:07:29 +02:00 | 193 commits to main since this releaseSecurity hotfix for v2.0.0 release.
Security Fixes:
Dependabot (2 alerts resolved):
- Updated \org.bouncycastle:bcprov-jdk18on\ from 1.78.1 to 1.84
- CVE-2026-5598 (HIGH): Bouncy Castle covert timing channel vulnerability
- CVE-2026-0636 (MEDIUM): Bouncy Castle LDAP injection vulnerability
CodeQL (4 alerts resolved):
- Enabled CSRF protection with \CookieCsrfTokenRepository\
- Added proper CSRF protection for SPA architecture with stateless JWT
- Public endpoints exempted from CSRF (/api/auth/login, /api/health, /actuator/**)
- HttpOnly=false for JavaScript access, secure cookies in production
- Added \permissions: contents: read\ to GitHub Actions workflows
- frontend-ci.yml
- compose-smoke-test.yml
- migration-ci.yml
Validation:
- ✅ Backend compiles successfully with Bouncy Castle 1.84
- ✅ Docker Compose configuration valid
- ✅ CSRF protection properly configured for JWT + SPA
All security alerts addressed and tested.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Updated \org.bouncycastle:bcprov-jdk18on\ from 1.78.1 to 1.84