spring-security-crypto-encryption relies on old Spring version with multiple CVEs

[coheigea]

Hi,

If I want to use the Spring functionality to encrypt passwords via the spring-security-crypto-encryption feature, it defaults to using Spring Security 5.3.3 which is from 2020 and has multiple CVEs

https://mvnrepository.com/artifact/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-core/5.3.3.RELEASE_2

Can it be updated to the latest please?

[jbonofre]

Yes, that makes sense.

It drives to another change: as ServiceMix is discussing/voting to go to the attic, we should not use ServiceMix Bundles anymore. So I will do the change to use wrap instead.

Let me create a separate ticket about that. I will tackle both (this ticket and the other one) at the same time.

Thanks !