Fix CVE-2026-24734 and CVE-2025-66614

3 months ago · 047c15fd0f
1 changed files with 18 additions and 7 deletions
--- a/pom.xml
+++ b/pom.xml
@ -38,7 +38,8 @@
        <pkg.implementationTitle>${project.name}</pkg.implementationTitle>
        <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
        <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
-        <spring-boot.version>3.4.10</spring-boot.version>
+        <spring-boot.version>3.4.13</spring-boot.version>
+        <tomcat.version>10.1.52</tomcat.version> <!-- to fix CVE-2026-24734 and CVE-2025-66614. TODO: remove when fixed in spring-boot-dependencies -->
        <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
        <jedis.version>5.1.5</jedis.version>
        <jjwt.version>0.12.5</jjwt.version>
@ -147,7 +148,6 @@
        <firebase-admin.version>9.2.0</firebase-admin.version>
        <snappy.version>1.1.10.5</snappy.version>
        <rocksdbjni.version>9.10.0</rocksdbjni.version>
-        <netty.version>4.1.128.Final</netty.version> <!-- to fix CVEs. TODO: remove when fixed in spring-boot-dependencies -->
    </properties>

    <modules>
@ -899,13 +899,24 @@

    <dependencyManagement>
        <dependencies>
+            <!-- Temporary Tomcat version override -->
            <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-el</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-websocket</artifactId>
+                <version>${tomcat.version}</version>
            </dependency>
+            <!-- End of Tomcat version override -->
+
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>