...
We are in the process of preparing that patch release now, and it should be imminent. The other known third-party CVEs that are feasible to address should be dealt with in that patch. There’s not much else in the queue for that patch, only some minor fixes. While this patch will be built using our old “we host all the jars” process, we do have the new signature and dependency checking enforcement enabled on the branch, and we hope to be ready to move to using Maven Central for third party artifacts in the near future to reduce the burden of constantly uploading everything ourselves.
Work has started in parallel to stand up a development branch of the IdP on top of Spring 6 and Java 17, and we are identifying where we have dependencies at risk due to the transition that may have to be remediated out or become internally forked projects. The most serious of these is, as expected, Spring WebFlow, about which we are trying to get an official admission of it being end of life. We don’t think, at this point, there will be much chance we can identify a practical alternative so some kind of stripped down fork with as much removed as possible is the most likely outcome here.
During development work on the previously described OAuth enhancements to the OP plugin, some vulnerabilities around the handling of JWT client authentication were noted and fixed over the holidays, with that patch going out early this year. This doesn’t impact a lot of deployers at this point, but the JWT support probably should be more widely adopted, as it allows for public-key authentication of clients, which in turn (combined with our SAML metadata support for OIDC) essentially would open the door to practical federation of OIDC and OAuth.
...