Is there any chance that the fix for this CVE [1] can be back ported (and released) on the 2.5, 2.6 and 2.7 branches?
We have 3 (soon to be 4) supported branches, based on the 2.5.x, 2.6.x, 2.7.x, (and soon 3.0.0) clients. Our versioning rules forbid moving to a new minor release for a dependency (e.g 2.7.x to 2.8.x) in a patch release. Yes, the user can override the version to 2.8.1 (works on all of our supported branches), but the problem is (s)he gets a vulnerable version transitively and has to know to do so. Or, is this CVE on the broker side only (and not on the clients)? (I have been unable to find the actual fix in the commit log). Thanks for your consideration. The Spring team. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153
