Documentation Home
Changelog

Broadleaf Commerce 6.1.14-GA

Released on October 12, 2023

Overview

This is the 14th patch release for Broadleaf Framework 6.1.x. To upgrade a 6.1.x application to the 6.1.14-GA release, it should only require updating the broadleaf-boot-starter-parent to 6.1.14-GA in the parent pom.xml.

New and Noteworthy

Library Upgrades

Following core libraries were upgraded due to security vulnerabilities:

  • Spring -> 5.2.24.RELEASE to 5.2.25.RELEASE
  • Antisamy -> 1.7.3 to 1.7.4
  • Jackson -> 2.14.2 to 2.15.2
  • Lombok -> 1.18.26 to 1.18.30
  • Commons-io -> 2.11.0 to 2.13.0
  • Commons-codec -> 1.14 to 1.15
  • Xml beans -> 5.0.0 to 5.1.1
  • Joda time -> 2.1 to 2.9.9
  • Tika core -> 2.7.0 to 2.9.9
  • Guava -> 31.1 to 32.1.2

An at-a-glance view of the issues that were closed in this release:

Major Bug(1)

  • Fixed the Insecure Direct Object Reference (IDOR) vulnerability that was reported by preventing a user to use his session to manipulate entities on the other sites in BroadleafAdminRequestProcessor.

Enhancements(3)

  • Changed the created bundles collection from 'private' to 'protected' in blResourceBundlingService
  • Updated core libraries mentioned above.
  • Merged bug fixes and enhancements included in 6.0.20-GA

Total Resolved Issues: 4