• v2.0.0-hotfix 2de428f06f

    FTMahringer released this 2026-05-10 11:07:29 +02:00 | 193 commits to main since this release

    Security hotfix for v2.0.0 release.

    Security Fixes:

    Dependabot (2 alerts resolved):

    • Updated \org.bouncycastle:bcprov-jdk18on\ from 1.78.1 to 1.84
      • CVE-2026-5598 (HIGH): Bouncy Castle covert timing channel vulnerability
      • CVE-2026-0636 (MEDIUM): Bouncy Castle LDAP injection vulnerability

    CodeQL (4 alerts resolved):

    • Enabled CSRF protection with \CookieCsrfTokenRepository\
      • Added proper CSRF protection for SPA architecture with stateless JWT
      • Public endpoints exempted from CSRF (/api/auth/login, /api/health, /actuator/**)
      • HttpOnly=false for JavaScript access, secure cookies in production
    • Added \permissions: contents: read\ to GitHub Actions workflows
      • frontend-ci.yml
      • compose-smoke-test.yml
      • migration-ci.yml

    Validation:

    • Backend compiles successfully with Bouncy Castle 1.84
    • Docker Compose configuration valid
    • CSRF protection properly configured for JWT + SPA

    All security alerts addressed and tested.

    Downloads