From df46309cd00ff6c4d8f501053126577af24d0180 Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Thu, 9 Jul 2026 10:00:39 -0700
Subject: [PATCH 1/2] Update Tomcat, HttpCore5, Jackson for OWASP CVE
remediation (#1440)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
## Rationale
LabKey Server's OWASP Dependency Check build is failing on develop with
124 findings, the bulk of them from a handful of vulnerable third-party
dependencies. This PR clears the findings that can be resolved by
version bumps/forces and suppresses two verified false positives.
this is a backport from develop
## Related Pull Requests
- https://github.com/LabKey/server/pull/1438
## Changes
- Tomcat 11.0.22 -> 11.0.23: CVE-2026-53434 and CVE-2026-55276 (CRITICAL
9.1), plus CVE-2026-53404, CVE-2026-55955, CVE-2026-55956,
CVE-2026-50229
- httpcore5 5.4.2 -> 5.4.3, and a new httpcore5-h2 force at 5.4.3
(previously transitive at 5.3.6): CVE-2026-54399
- Jackson 2.21.4 -> 2.21.5 (jacksonVersion, jacksonDatabindVersion,
jacksonJaxrsBaseVersion): CVE-2026-54515
- Suppress classic httpcore 4.x for CVE-2026-54399 (the CVE is scoped to
HttpComponents Core 5.x; the 4.x line is EOL and unaffected)
- Suppress Kotlin runtime jars for CVE-2026-53914 (a Kotlin
build-cache-metadata deserialization flaw scored 6.7 MEDIUM by
JetBrains, not applicable to the shipped stdlib/reflect runtime jars)
- Update comments to document that apacheTomcatVersion is intentionally
held ahead of Spring Boot's managed Tomcat
---
dependencyCheckSuppression.xml | 21 ++++++++++++++++++++-
gradle.properties | 10 +++++-----
2 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 0fe1a5999d..36cd5c494d 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -327,5 +327,24 @@
^pkg:maven/org\.jetbrains\.kotlin/.*@.*$
CVE-2026-53914
-
+
+
+
+ ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$
+ CVE-2026-54399
+
+
+
+
+ ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$
+ CVE-2026-53914
+
diff --git a/gradle.properties b/gradle.properties
index 60f1759e85..54eb1f3095 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7
apacheMinaVersion=2.2.7
# Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=11.0.22
+apacheTomcatVersion=11.0.23
# (mothership) -> json-path -> json-smart -> accessor-smart
# (core) -> graalvm
@@ -186,7 +186,7 @@ hamcrestVersion=2.2
htsjdkVersion=4.3.0
httpclient5Version=5.5.2
-httpcore5Version=5.4
+httpcore5Version=5.4.3
# Not used directly, but these are widely used transitive dependencies
httpclientVersion=4.5.14
@@ -195,9 +195,9 @@ httpcoreVersion=4.4.16
intellijKotlinVersion=2.3.10
# Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others
-jacksonVersion=2.21.4
-jacksonDatabindVersion=2.21.4
-jacksonJaxrsBaseVersion=2.21.4
+jacksonVersion=2.21.5
+jacksonDatabindVersion=2.21.5
+jacksonJaxrsBaseVersion=2.21.5
# Note the inconsistent version numbering for "annotations"... it no longer matches the above
jacksonAnnotationsVersion=2.21
From 281b17de1e83620ae1fb14646a7f4680a769c0ba Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Fri, 10 Jul 2026 08:39:53 -0700
Subject: [PATCH 2/2] Port OWASP CVE remediations to 26.3: httpcore5-h2 5.4.3,
pg driver 42.7.12 (#1442)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
## Rationale
Ports the OWASP dependency-check CVE remediations from develop (PR
#1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The
26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2
resolving transitively to 5.3.6) and additionally CVE-2026-54291
(postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade
fixed in 42.7.12; develop was already on 42.7.12).
## Related Pull Requests
- https://github.com/LabKey/server/pull/1441
## Changes
- Force `org.apache.httpcomponents.core5:httpcore5-h2` to
`httpcore5Version` (5.4.3), upgrading the transitive 5.3.6 past the
vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428).
- Bump `postgresqlDriverVersion` 42.7.11 -> 42.7.12 (CVE-2026-54291).
- Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x
artifact.
## Note on shaded copies
Shaded copies of these http5 libraries originate from labkey-api-jdbc
and are addressed separately.
---
build.gradle | 2 ++
dependencyCheckSuppression.xml | 6 +++---
gradle.properties | 2 +-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/build.gradle b/build.gradle
index 43d3040ee6..6317a82efd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -245,6 +245,8 @@ allprojects {
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpcore:${httpcoreVersion}"
force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}"
+ // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3)
+ force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}"
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpclient:${httpclientVersion}"
force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}"
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 36cd5c494d..83a4d7b1eb 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -328,14 +328,14 @@
CVE-2026-53914
+ CVE-2026-54399 (httpcore5 HTTP/1.1 parser) and CVE-2026-54428 (httpcore5-h2 HTTP/2 HPACK decoder) are both scoped to Apache HttpComponents Core 5.x only. The classic httpcore 4.x line (org.apache.httpcomponents:httpcore) is EOL, has no HTTP/2 module, is not listed as affected, and has no fixed 4.4.x release. False positives for the 4.x artifact. -->
^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$
CVE-2026-54399
+ CVE-2026-54428