Merge pull request #15076 from thingsboard/fix/vulnerabilities

Fixed CVE-2026-24734 and CVE-2025-66614
3 months ago · 30aa12f40c
2 changed files with 22 additions and 7 deletions
--- a/.github/release.yml
+++ b/.github/release.yml
@ -19,6 +19,10 @@ changelog:
    labels:
      - Ignore for release
  categories:
+    - title: 'Security'
+      labels:
+        - 'Security'
+
    - title: 'Major Core & Rule Engine'
      labels:
        - 'Major Core'
--- a/pom.xml
+++ b/pom.xml
@ -38,7 +38,8 @@
        <pkg.implementationTitle>${project.name}</pkg.implementationTitle>
        <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
        <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
-        <spring-boot.version>3.4.10</spring-boot.version>
+        <spring-boot.version>3.4.13</spring-boot.version>
+        <tomcat.version>10.1.52</tomcat.version> <!-- to fix CVE-2026-24734 and CVE-2025-66614. TODO: remove when fixed in spring-boot-dependencies -->
        <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
        <jedis.version>5.1.5</jedis.version>
        <jjwt.version>0.12.5</jjwt.version>
@ -147,7 +148,6 @@
        <firebase-admin.version>9.2.0</firebase-admin.version>
        <snappy.version>1.1.10.5</snappy.version>
        <rocksdbjni.version>9.10.0</rocksdbjni.version>
-        <netty.version>4.1.128.Final</netty.version> <!-- to fix CVEs. TODO: remove when fixed in spring-boot-dependencies -->
    </properties>

    <modules>
@ -899,13 +899,24 @@

    <dependencyManagement>
        <dependencies>
+            <!-- Temporary Tomcat version override -->
            <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-el</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-websocket</artifactId>
+                <version>${tomcat.version}</version>
            </dependency>
+            <!-- End of Tomcat version override -->
+
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>