We will be releasing a security patch update for the IdP, V3.3.3, currently planned for next Wednesday, May 16th. The patch includes a Spring Framework bump to pick up a fix for  and a security fix for a CAS protocol support issue that we will disclose at that time.
The CAS issue is of critical severity. Only deployers using the CAS protocol support are impacted.
The Spring issue is potentially high in severity (and is public knowledge) but we don't have any reason to believe most, or possibly any, deployers are affected. But erring on the side of caution because we allow a fair amount of Spring MVC customization, we want to make the fixed version available.