Added security note for Spring Framework

jlouvel · jlouvel · commit 655514e001bb · 2024-11-24T14:54:34.000-05:00
CVE warning
diff --git a/changes.md b/changes.md
@@ -2,6 +2,11 @@ Changes log
 ===========
 
 - 2.5.0 (??-11-2024)
+    - Security
+       - Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization
+         of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and
+         authentication may be required. Restlet Framework isn't able to upgrade to Spring Framewortk version 6.0 due to its
+         requirement to use Java 8. If you are running Java 17+, please override the Spring dependency in your POM to version 6.0+
     - Misc
       - Deprecated POP, POPS, SMTP, SMTPS protocol constants and SmtpPlainHelper for upcoming removal as the JavaMail extension
         is no more.
