[Security] Bump spring-webmvc from 5.0.13.RELEASE to 5.0.17.RELEASE

[dependabot-preview]

Bumps spring-webmvc from 5.0.13.RELEASE to 5.0.17.RELEASE. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-webmvc and org.springframework:spring-webflux In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Affected versions: >= 5.0.0, < 5.0.16

Release notes

Sourced from spring-webmvc's releases.

v5.0.17.RELEASE

⭐ New Features

• Honor overridden AcceptHeaderLocaleContextResolver.getDefaultLocale() #24877
• Consistent ROLE_INFRASTRUCTURE declarations for internal configuration classes #24515

🪲 Bug Fixes

• MockHttpServletRequest should not strip brackets from IPV6 address supplied via Host header #24918
• Connection created by SingleConnectionDataSource with suppressClose=true always returns isClosed=false even if the target connection is closed #24859
• DefaultListableBeanFactory.getBean(Class) throws NoSuchBeanDefinitionException on existing bean if getBean(Class) previously tried before registration #24856
• Recursively copy directory with symbolic link #24827
• Using UriComponentsBuilder.cloneBuilder does not copy uriVariables #24780
• Missing nullability declarations for package web.socket.server.jetty #24751
• MediaTypeNotSupportedStatusException seems unused #24749
• addCandidateComponentsFromIndex should create ScannedGenericBeanDefinitions #24640
• Cycle in LogAdapter.Log4jLog initialization within log appender #24451

📔 Documentation

• Update advice on RestTemplate #24504

v5.0.16.RELEASE

⭐ New Features

• Cache result of String.getBytes() in ExtendedBeanInfo.PropertyDescriptorComparator #24109
• Avoid substring allocation in StringUtils.replace #24025
• Support for new MySQL 8 error code 3572 #23974

🪲 Bug Fixes

• Unsafe double-checked locking in SpelExpression#compileExpression #24307
• Escape quotes in filename in ContentDisposition.Builder when charset not specified #24230
• SqlRowSet accessor methods should be marked @Nullable #24045
• Allow schemaZip Gradle task to execute on MS Windows #23988
• Bean definition override leads to NPE due to inconsistent equality check #23709
• Fix DefaultListableBeanFactory#copyConfigurationFrom #23708
• Synchronized blocks in MethodOverrides are hurting concurrency #23707

📔 Documentation

• TypeDescriptor#getElementTypeDescriptor does not throw IllegalStateException anymore #23998
• Correct Javadoc for WebMvcConfigurer#addInterceptors #23926

v5.0.15.RELEASE

⭐ New Features

• Javadoc missing on some public BeanDefinitionParserDelegate methods #23398
• Thread-safe removal of destruction callbacks in web scopes #23118
• Guard against ConcurrentModificationExceptions in the systemProperties PropertySource #23112

... (truncated)

Commits

• 782325b Release version 5.0.17.RELEASE
• 5587262 Polishing
• 6dcabd8 Store source in index-derived ScannedGenericBeanDefinition as well
• 6a6ad05 Retain brackets for IPV6 address in MockHttpServletRequest
• 4ec2844 Honor overridden AcceptHeaderLocaleContextResolver.getDefaultLocale()
• d9eacaa Recursively copy directory with symbolic link
• a33b7bb Close-suppressing Connection proxy exposes target isClosed() state
• 56e7d73 Clear by-type cache in case of no pre-existing bean definition as well
• 11aaf6a UriComponentsBuilder.cloneBuilder copies uriVariables
• 701f54b Polishing
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)