Bump the maven group across 1 directory with 6 updates

[dependabot]

Bumps the maven group with 6 updates in the / directory:

Package	From	To
org.apache.tomcat:tomcat-catalina	9.0.20	9.0.107
com.unboundid:unboundid-ldapsdk	3.1.1	4.0.5
com.alibaba:fastjson	1.2.24	1.2.83
xalan:xalan	2.7.2	2.7.3
org.springframework:spring-beans	4.3.7.RELEASE	5.2.22.RELEASE
org.springframework:spring-context	4.3.7.RELEASE	6.1.20

Updates org.apache.tomcat:tomcat-catalina from 9.0.20 to 9.0.107

Updates com.unboundid:unboundid-ldapsdk from 3.1.1 to 4.0.5

Release notes

Sourced from com.unboundid:unboundid-ldapsdk's releases.

UnboundID LDAP SDK for Java 4.0.5

We have just released the UnboundID LDAP SDK for Java version 4.0.5, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

The most significant change in this release is the fix for a vulnerability described in CVE-2018-1000134. In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See CVE-2018-1000134 and the UnboundID LDAP SDK for Java for more information about this issue.

Other changes in the 4.0.5 release of the LDAP SDK include:

• Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line.

• Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year.

• Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality.

• Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments.

• Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring.

• Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase.

• Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream.

• Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility.

• Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written.

• Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

• Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates.

• Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates.

• Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

UnboundID LDAP SDK for Java 4.0.4

We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

There are a few noteworthy changes included in this release. The release notes go into more detail, but the highlights of these changes include:

• We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause).
• We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool.
• We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process.
• We updated the LDAP SDK’s ServerSet implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable.
• We updated the GetEntryLDAPConnectionPoolHealthCheck class to provide support for invoking the health check after a pooled connection has been authenticated.
• We fixed a bug in the GetEntryLDAPConnectionPoolHealthCheck class that could cause it to behave incorrectly when checking the validity of a connection after an LDAPException was caught.
• We updated the Attribute.hasValue method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the Filter.matchesEntry method for equality filters that target similar types of attributes.
• We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy.
• We updated the LDAPConnectionOptions class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the LDAPConnectionOptions class can now be set via system properties.

UnboundID LDAP SDK for Java 4.0.3

The 4.0.3 release of the LDAP SDK contains a single bugfix over the 4.0.2 version. Just after releasing the 4.0.2 version, we found a bug in the way that the LDAP SDK generated and verified signatures for X.509 certificates and PKCS10 certificate signing requests. That has been corrected, and the 4.0.3 release is available for download from the LDAP.com website, from our GitHub repository, from the SourceForge project, or from the Maven Central Repository.

... (truncated)

Changelog

Sourced from com.unboundid:unboundid-ldapsdk's changelog.

          <div align="right">

${TARGET="offline"} LDAP SDK Home Page ${TARGET="offline"} Product Information

          <h2>Release Notes</h2>
      &lt;h3&gt;Version 7.0.3&lt;/h3&gt;
  &amp;lt;p&amp;gt;
    The following changes were made between the 7.0.2 and 7.0.3 releases:
  &amp;lt;/p&amp;gt;

  &amp;lt;ul&amp;gt;
    &amp;lt;li&amp;gt;
      Fixed an issue in which the LDAP SDK did not properly handle certificates with a
      notBefore or notAfter timestamp that fell in the year 2049 if that timestamp was
      encoded with the antiquated UTCTime syntax, which only uses two digits to express
      the year.  The X.509 specification indicates that UTCTimestamp values with years
      of &amp;quot;00&amp;quot; through &amp;quot;49&amp;quot; should be interpreted as the years 2000 through 2049, and
      that UTCTime years of &amp;quot;50&amp;quot; through &amp;quot;99&amp;quot; should be interpreted as the years 1950
      through 1999, but the LDAP SDK incorrectly treated a year of &amp;quot;49&amp;quot; as 1949 instead
      of 2049.  All other year values were properly handled in accordance with the
      X.509 specification.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Updated client-side support for the Ping Identity-proprietary transaction
      settings request control to add the ability to request that the server acquire a
      scoped lock under certain conditions.  Scoped locks may be useful when it is
      possible to identify operations that are more likely than others to result in
      lock conflicts (for example, in a multi-tenant deployment, operations targeting
      entries in the same tenant are probably more likely to conflict than operations
      targeting entries in different tenants), to limit the potential performance
      impact in the event of a conflict.  We also added the ability to override the
      conditions under which the server may attempt to acquire a single-writer lock
      within the associated backend, which could previously only be controlled through
      the server configuration, and to indicate whether the control should be taken
      into consideration when the operation is replicated to other servers in the
      topology.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Updated the ldifmodify tool to report an error if any of the sourceLDIF,
      changesLDIF, or targetLDIF arguments referred to the same file.  They must all
      refer to different files.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;

... (truncated)

Commits

• b28fb50 Update the release notes for the 4.0.5 release
• 7d02fa0 Add an override search limits request control
• e30ae57 Add forName methods to enum classes
• 58a46d0 Fix an OS-specific issue in ToolInvocationLogger
• 8c77d1e Make a number of format string fixes
• 2e65024 Update ToolUtils.promptForEncryptionPassphrase
• 8471904 Fix a SimpleBindRequest bug
• 41df758 Better summarize-access-log encryption support
• 900ff84 Minor update in ToolUtils
• cdb139e Add tool compression and encryption support
• Additional commits viewable in compare view

Updates com.alibaba:fastjson from 1.2.24 to 1.2.83

Release notes

Sourced from com.alibaba:fastjson's releases.

FASTJSON 1.2.83版本发布（安全修复）

这是一个安全修复版本，修复最近收到在特定场景下可以绕过autoType关闭限制的漏洞，建议fastjson用户尽快采取安全措施保障系统安全。

安全修复方案 ：https://github.com/alibaba/fastjson/wiki/security_update_20220523

FASTJSON2已经发布并且提供兼容包，性能更好也更安全，升级指南 https://github.com/alibaba/fastjson2/wiki/fastjson_1_upgrade_cn

Issues

1. 安全加固
2. 修复JDK17下setAccessible报错的问题 #4077

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.83/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.83
• 2.0.x Releases https://github.com/alibaba/fastjson2/releases

fastjson 1.2.79版本发布，BUG修复

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复引入MethodInheritanceComparator导致某些场景序列化报错的问题
2. 增强JDK 9兼容
3. 修复JSONArray/JSONObject的equals方法在内部对象map/list相同时不直接返回true的问题

相关链接

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.79/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.79

fastjson 1.2.76版本发布，BUG修复增强兼容

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复一些直接抛RuntimeException的问题 #3631
2. parser自动识别gzip bytes #3614
3. 修复Throwable继承类属性不支持自动类型转换问题 #3217
4. 修复PrettyFormat情况下引用计算不对的问题 #3672
5. 修复AutoType不兼容LinkedHashMap的问题
6. 增强对Enum类型的自定类型转换
7. 修复deserializeUsing在泛型某些场景不能正常工作的问题 #3693
8. 提升JSONReader性能，减少小对象创建 #3627
9. 增强对JSONPath对filter的支持 #3629
10. JSONPath支持忽略NullValue的选项 #3607
11. 增强对定制化enum的支持 #3601
12. 增强对java.time.Instant和org.joda.time.Instant的支持 #3539
13. 修复Parser某些场景不能识别引用的问题

相关链接

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.76/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98

... (truncated)

Commits

• 26f13f8 1.2.83
• 8f3410f bug fix for autotype
• cd3c2de improved jdk8 java.time support
• c63866e remove unused import
• 35db4ad bug fix for autoType
• 3f009e1 Merge pull request #4085 from hengyunabc/fix_setAccessible
• dd3de5f fix InaccessibleObjectException in jdk17. #4077
• a234f9a Merge pull request #4084 from alibaba/revert-4078-master
• 0814909 Revert "fix InaccessibleObjectException in jdk17. #4077"
• ab82d0b Merge pull request #4078 from hengyunabc/master
• Additional commits viewable in compare view

Updates xalan:xalan from 2.7.2 to 2.7.3

Updates org.springframework:spring-beans from 4.3.7.RELEASE to 5.2.22.RELEASE

Commits

• 8f4c172 Release v5.2.22.RELEASE
• 9f238c9 Polishing
• 50177b1 Refine CachedIntrospectionResults property introspection
• 159a99b Ignore invalid STOMP frame
• 41e158c Next development version (v5.2.22.BUILD-SNAPSHOT)
• 833e750 Improve documentation and matching algorithm in data binders
• d70054d Upgrade to Log4j2 2.17.2
• 36e4951 Polishing
• 87b5080 Consistent use of getLocalAddr() without DNS lookups in request adapters
• 5cbf85a Avoid return value reference in potentially cached MethodParameter instance
• Additional commits viewable in compare view

Updates org.springframework:spring-context from 4.3.7.RELEASE to 6.1.20

Release notes

Sourced from org.springframework:spring-context's releases.

v6.1.20

⭐ New Features

• Add option for case-insensitive match to PatternMatchUtils #34802

🐞 Bug Fixes

• HttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 #34854
• Accidental ClassLoader defineClass enforcement after #34677 #34839

📔 Documentation

• Clarify CompositePropertySource behavior for EnumerablePropertySource contract #34887

🔨 Dependency Upgrades

• Upgrade to Reactor 2023.0.18 #34899

v6.1.19

⭐ New Features

• Suggest compilation with -parameters when AspectJAdviceParameterNameDiscoverer fails against ambiguity #34618

🐞 Bug Fixes

• PropertyBatchUpdateException: causes of nested PropertyAccessExceptions not shown in output #34698
• Change in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed #34694
• Startup performance regression due to CGLIB class load attempts in Spring 6.1.x #34693
• IllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere #34690
• @Configuration classes can no longer be abstract without @Bean methods #34689
• Generated-code for LinkedHashMap is missing static keyword #34661
• AbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt #34619

📔 Documentation

• Add javadoc notes on potential exception suppression in ListableBeanFactory#getBeansOfType #34631
• Remove remaining references to Forwarded headers in MvcUriComponentsBuilder #34626
• MvcUriComponentsBuilder javadocs inaccurately reflects usage of forwarded headers #34620

v6.1.18

⭐ New Features

• Avoid unnecessary CGLIB processing on configuration classes #34487
• Inconsistent default class loaders in hint classes #34473

🐞 Bug Fixes

• DefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks #34515
• Endless loop with DataSourceUtils in spring-jdbc #34497
• MockHttpServletResponse - handle multiple values for Content-Language header #34491

... (truncated)

Commits

• 1f9c59b Release v6.1.20
• edfcc6f Make use of PatternMatchUtils ignoreCase option
• f93132b Add missing @​since tags in PatternMatchUtils
• 6ab4c84 Upgrade to Reactor 2023.0.18
• d5fca0d Upgrade to Jetty 12.0.21, Netty 4.1.121, Apache HttpClient 5.4.4, Checkstyle ...
• cbb9419 Clarify CompositePropertySource behavior for EnumerablePropertySource contract
• 5b5e2b6 Fix HttpClient 5.3.x request config compatibility
• a5b0399 Polishing
• 71f2725 Try loadClass on LinkageError in case of same ClassLoader as well
• daee9f1 Reinstate the @⁠Inject Technology Compatibility Kit (TCK)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.