DHIS2 version 2.35.13 (patch release) is out as a HOTFIX for the vulnerability referred to as “spring4shell”.
This is the latest stable release for version 2.35, and supersedes releases 2.35.0 to 2.35.12.
The release note for this patch can be found here: Patch 2.35.13 Release Note.
DHIS2 Release Team
@phil Thanks as always for the quick work and context here.
What implications can we expect to find in general functionality of the system with the upgrade of the Spring library from 5.2.9 to 5.2.20, if any? Does this Spring library deal with anything specifically that we should check and make sure functions in the same was as previously constructed in previous versions in DHIS2?
Good questions @Matthew_Boddie!
Although the Spring library version has been bumped by several patch versions, the changes are all bug fixes, which are not expected to negatively impact functionality. Therefore the tests which are performed as part of our builds, plus the smoke testing we perform on the produced war file, give us a good level of confidence in this patch.
As usual it is always advisable to follow a controlled update process appropriate for your implementation.
Implementations that wish to run longer and more comprehensive testing as part of their update process can run their production system on Java 8, in the meantime, to ensure continued security.
@phil thanks for that–and makes sense. In general, if there were problems (which I hear you, we shouldn’t expect), where would it hit us? For example would it be in program rule expressions, program indicators, or perhaps in the sqlViews, etc? Any particular place where spring library functions?