Skip to content

[bot] Merge 26.3 to 26.7#1444

Open
github-actions[bot] wants to merge 3 commits into
release26.7-SNAPSHOTfrom
26.7_fb_bot_merge_26.3
Open

[bot] Merge 26.3 to 26.7#1444
github-actions[bot] wants to merge 3 commits into
release26.7-SNAPSHOTfrom
26.7_fb_bot_merge_26.3

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Generated automatically.
Merging changes from: 281b17d
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=26.7_fb_bot_merge_26.3

labkey-willm and others added 3 commits July 9, 2026 10:00
## Rationale
LabKey Server's OWASP Dependency Check build is failing on develop with
124 findings, the bulk of them from a handful of vulnerable third-party
dependencies. This PR clears the findings that can be resolved by
version bumps/forces and suppresses two verified false positives.

this is a backport from develop

## Related Pull Requests
- #1438

## Changes
- Tomcat 11.0.22 -> 11.0.23: CVE-2026-53434 and CVE-2026-55276 (CRITICAL
9.1), plus CVE-2026-53404, CVE-2026-55955, CVE-2026-55956,
CVE-2026-50229
- httpcore5 5.4.2 -> 5.4.3, and a new httpcore5-h2 force at 5.4.3
(previously transitive at 5.3.6): CVE-2026-54399
- Jackson 2.21.4 -> 2.21.5 (jacksonVersion, jacksonDatabindVersion,
jacksonJaxrsBaseVersion): CVE-2026-54515
- Suppress classic httpcore 4.x for CVE-2026-54399 (the CVE is scoped to
HttpComponents Core 5.x; the 4.x line is EOL and unaffected)
- Suppress Kotlin runtime jars for CVE-2026-53914 (a Kotlin
build-cache-metadata deserialization flaw scored 6.7 MEDIUM by
JetBrains, not applicable to the shipped stdlib/reflect runtime jars)
- Update comments to document that apacheTomcatVersion is intentionally
held ahead of Spring Boot's managed Tomcat

<!-- list of standard tasks (remove this comment to enable)
## Tasks 📍
- [ ] Claude Code Review
- [ ] Manual Testing
- [ ] Test Automation
- [ ] Verify Fix
-->
….7.12 (#1442)

## Rationale
Ports the OWASP dependency-check CVE remediations from develop (PR
#1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The
26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2
resolving transitively to 5.3.6) and additionally CVE-2026-54291
(postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade
fixed in 42.7.12; develop was already on 42.7.12).

## Related Pull Requests
- #1441

## Changes
- Force `org.apache.httpcomponents.core5:httpcore5-h2` to
`httpcore5Version` (5.4.3), upgrading the transitive 5.3.6 past the
vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428).
- Bump `postgresqlDriverVersion` 42.7.11 -> 42.7.12 (CVE-2026-54291).
- Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x
artifact.

## Note on shaded copies
Shaded copies of these http5 libraries originate from labkey-api-jdbc
and are addressed separately.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants