From df46309cd00ff6c4d8f501053126577af24d0180 Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Thu, 9 Jul 2026 10:00:39 -0700 Subject: [PATCH 1/2] Update Tomcat, HttpCore5, Jackson for OWASP CVE remediation (#1440) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Rationale LabKey Server's OWASP Dependency Check build is failing on develop with 124 findings, the bulk of them from a handful of vulnerable third-party dependencies. This PR clears the findings that can be resolved by version bumps/forces and suppresses two verified false positives. this is a backport from develop ## Related Pull Requests - https://github.com/LabKey/server/pull/1438 ## Changes - Tomcat 11.0.22 -> 11.0.23: CVE-2026-53434 and CVE-2026-55276 (CRITICAL 9.1), plus CVE-2026-53404, CVE-2026-55955, CVE-2026-55956, CVE-2026-50229 - httpcore5 5.4.2 -> 5.4.3, and a new httpcore5-h2 force at 5.4.3 (previously transitive at 5.3.6): CVE-2026-54399 - Jackson 2.21.4 -> 2.21.5 (jacksonVersion, jacksonDatabindVersion, jacksonJaxrsBaseVersion): CVE-2026-54515 - Suppress classic httpcore 4.x for CVE-2026-54399 (the CVE is scoped to HttpComponents Core 5.x; the 4.x line is EOL and unaffected) - Suppress Kotlin runtime jars for CVE-2026-53914 (a Kotlin build-cache-metadata deserialization flaw scored 6.7 MEDIUM by JetBrains, not applicable to the shipped stdlib/reflect runtime jars) - Update comments to document that apacheTomcatVersion is intentionally held ahead of Spring Boot's managed Tomcat --- dependencyCheckSuppression.xml | 21 ++++++++++++++++++++- gradle.properties | 10 +++++----- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 0fe1a5999d..36cd5c494d 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -327,5 +327,24 @@ ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ CVE-2026-53914 - + + + + ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ + CVE-2026-54399 + + + + + ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ + CVE-2026-53914 + diff --git a/gradle.properties b/gradle.properties index 60f1759e85..54eb1f3095 100644 --- a/gradle.properties +++ b/gradle.properties @@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7 apacheMinaVersion=2.2.7 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) -apacheTomcatVersion=11.0.22 +apacheTomcatVersion=11.0.23 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -186,7 +186,7 @@ hamcrestVersion=2.2 htsjdkVersion=4.3.0 httpclient5Version=5.5.2 -httpcore5Version=5.4 +httpcore5Version=5.4.3 # Not used directly, but these are widely used transitive dependencies httpclientVersion=4.5.14 @@ -195,9 +195,9 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.4 -jacksonDatabindVersion=2.21.4 -jacksonJaxrsBaseVersion=2.21.4 +jacksonVersion=2.21.5 +jacksonDatabindVersion=2.21.5 +jacksonJaxrsBaseVersion=2.21.5 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 From 281b17de1e83620ae1fb14646a7f4680a769c0ba Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 10 Jul 2026 08:39:53 -0700 Subject: [PATCH 2/2] Port OWASP CVE remediations to 26.3: httpcore5-h2 5.4.3, pg driver 42.7.12 (#1442) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Rationale Ports the OWASP dependency-check CVE remediations from develop (PR #1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The 26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2 resolving transitively to 5.3.6) and additionally CVE-2026-54291 (postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade fixed in 42.7.12; develop was already on 42.7.12). ## Related Pull Requests - https://github.com/LabKey/server/pull/1441 ## Changes - Force `org.apache.httpcomponents.core5:httpcore5-h2` to `httpcore5Version` (5.4.3), upgrading the transitive 5.3.6 past the vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428). - Bump `postgresqlDriverVersion` 42.7.11 -> 42.7.12 (CVE-2026-54291). - Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x artifact. ## Note on shaded copies Shaded copies of these http5 libraries originate from labkey-api-jdbc and are addressed separately. --- build.gradle | 2 ++ dependencyCheckSuppression.xml | 6 +++--- gradle.properties | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 43d3040ee6..6317a82efd 100644 --- a/build.gradle +++ b/build.gradle @@ -245,6 +245,8 @@ allprojects { // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpcore:${httpcoreVersion}" force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}" + // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3) + force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}" // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpclient:${httpclientVersion}" force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}" diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 36cd5c494d..83a4d7b1eb 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -328,14 +328,14 @@ CVE-2026-53914 + CVE-2026-54399 (httpcore5 HTTP/1.1 parser) and CVE-2026-54428 (httpcore5-h2 HTTP/2 HPACK decoder) are both scoped to Apache HttpComponents Core 5.x only. The classic httpcore 4.x line (org.apache.httpcomponents:httpcore) is EOL, has no HTTP/2 module, is not listed as affected, and has no fixed 4.4.x release. False positives for the 4.x artifact. --> ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ CVE-2026-54399 + CVE-2026-54428