Updated Spring Framework to version 5.3.26

Updated Spring Framework to version 5.3.26 in order to mitigate CVE-2023-20860 and CVE-2023-20861.

(CMS-22852)

CKEditor 5 36.0.1

CKEditor 5 has been updated to 36.0.1. The update is included in the version 14.0.2 of the CoreMedia plugins. For further information see the release notes of 14.0.2.

(CMS-22748)

Possible NullPointerException fixed for Markup in Structs XLIFF export

You may observe a NullPointerException when exporting Markup in Structs to XLIFF. This is caused by newly created Markup nodes in Struct properties, that didn't get a value yet.

This issue has been fixed. Markup properties in Struct that are null as value are not tried to be exported anymore.

(CMS-22725)

Fixed Cache Bug that causes RecursiveCacheLookUpException

Fixed a bug in the central CoreMedia cache component, that can cause sporadic failures when evaluating cached values from multiple threads under high load. Cache evaluations could have failed with a RecursiveCacheLookUpException, because computations were incorrectly identified as being cyclic computations that could loop endlessly. This has been fixed now.

(CMS-22672)

Fixed LdapUserProvider Configuration

Due to a bug in LdapUserProvider , the configuration properties

cap.server.userproviders[n].java.naming.referral
cap.server.userproviders[n].java.naming.ldap.version

had no effect. Now they are supported. For backward compatible behaviour, delete these properties from the configuration of your contentservers. (You probably did not set them anyway, because the defaults are appropriate in most cases.)

The support of java.naming.referral should also improve the default behaviour of the ActiveDirectoryUserProviders, when they encounter referrals. This typically happens if LDAP groups have many (e.g. >1500, depends on the AD version) direct members, or if LDAP users are direct members of many groups.

Moreover, the configuration property cap.server.userprovidersn.java.naming.security.protocol is now passed as JNDI connection parameter java.naming.security.protocol , as it is recommended by the JNDI documentation. LDAP over SSL (ldaps) worked also before, because the property is considered in an additional way.

(CMS-22638)

Fix Solr Configuration for Replication Handler

The Solr configuration files (solrconfig.xml) for CAE and Studio indices have been fixed to not configure example credentials for basic authentication for the Solr replication anymore. These settings had been introduced accidentally and caused problems when trying to override them externally.

(CMS-22550)

Updated OWASP Dependency Check Maven Plugin

The OWASP Dependency Check Maven Plugin has been updated from 7.4.4 to 8.1.2 - see

(CMS-21947)