General: backport security issues to 8.7.4 -> new version 8.7.5

[Michael-Breu-UIbk]

Summary

This change addresses two security fixes in v.8.7.4

• 035727e from v. 8.8.5: fixing access issues on repositories
• 1f61a20 from v. 8.8.6,:fixing (among others) the spring boot security issue (https://www.resolvedsecurity.com/vulnerability-catalog/GHSA-mf92-479x-3373)

A further [change] (6c20fe1) addresses additonal security issues for spring-boot-starter-thymeleaf and spring-boot-starter-web v.3.5.10 -> v.3.5.13, and downgrades incompatible versions of fasterxml and hazelcast back to the original versions of 8.7.4.

Checklist

General

• I tested all changes and their related features with all corresponding user types on a test server.
• This is a small issue that I tested locally and was confirmed by another developer on a test server.

Server

not relevant, just (minor) library version updates.

Client

no changes on client side.

Changes affecting Programming Exercises

• High priority: I tested all changes and their related features with all corresponding user types on a test server configured with the integrated lifecycle setup (LocalVC and LocalCI).
• I tested all changes and their related features with all corresponding user types on a test server configured with LocalVC and Jenkins.

Motivation and Context

The application operation policy of the university of Innsbruck requires the deployment of officially released software artifacts (no locally patched versions)

Unfortunately v8.7.4 has some critical security issues that where fixed with v. 8.8.6. However theses versions exhibit a regression of working features that are relevant for our target audience.
The upgrade to v9.0.0 is to large for a inter semester update.

There we decided to apply the relevant security updates (see below) in order to have a secured version based on the software base of 8.7.4 and hope to release it as v.8.7.5

Description

Cherry-Pickung

• 035727e from v. 8.8.5: fixing access issues on repositories

• 1f61a20 from v. 8.8.6,:fixing (among others) the spring boot security issue (https://www.resolvedsecurity.com/vulnerability-catalog/GHSA-mf92-479x-3373)

• 6c20fe1 addresses additonal security issues for spring-boot-starter-thymeleaf and spring-boot-starter-web v.3.5.10 -> v.3.5.13, and downgrades incompatible versions of fasterxml and hazelcast back to the original versions of 8.7.4.

Steps for Testing

No specific tests apply.

Mainly all features should be tested for functionality.

Exam Mode Testing

Mainly all features should be tested for functionality.

Testserver States

You can manage test servers using Helios. Check environment statuses in the environment list. To deploy to a test server, go to the CI/CD page, find your PR or branch, and trigger the deployment.

Review Progress

Performance Review

No major change expected.

Test Coverage

Warning: Server tests failed. Coverage could not be fully measured. Please check the workflow logs.

Last updated: 2026-04-20 15:38:11 UTC

Screenshots

not relevant

[github-actions]

@Michael-Breu-UIbk Test coverage could not be fully measured because some tests failed. Please check the workflow logs for details.

[krusche]

I would suggest, we create a release branch release/8.7.x and cherry-pick the changes here

[github-actions]

@Michael-Breu-UIbk Test coverage could not be fully measured because some tests failed. Please check the workflow logs for details.