From 047c15fd0f552b29f4416c9c8b528d572fb6d040 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Feb 2026 11:12:21 +0200
Subject: [PATCH 1/2] Fix CVE-2026-24734 and CVE-2025-66614

---
 pom.xml | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index b69540231e..6011d37c31 100755
--- a/pom.xml
+++ b/pom.xml
@@ -38,7 +38,8 @@
         <pkg.implementationTitle>${project.name}</pkg.implementationTitle>
         <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
-        <spring-boot.version>3.4.10</spring-boot.version>
+        <spring-boot.version>3.4.13</spring-boot.version>
+        <tomcat.version>10.1.52</tomcat.version> <!-- to fix CVE-2026-24734 and CVE-2025-66614. TODO: remove when fixed in spring-boot-dependencies -->
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
@@ -147,7 +148,6 @@
         <firebase-admin.version>9.2.0</firebase-admin.version>
         <snappy.version>1.1.10.5</snappy.version>
         <rocksdbjni.version>9.10.0</rocksdbjni.version>
-        <netty.version>4.1.128.Final</netty.version> <!-- to fix CVEs. TODO: remove when fixed in spring-boot-dependencies -->
     </properties>
 
     <modules>
@@ -899,13 +899,24 @@
 
     <dependencyManagement>
         <dependencies>
+            <!-- Temporary Tomcat version override -->
             <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-el</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-websocket</artifactId>
+                <version>${tomcat.version}</version>
             </dependency>
+            <!-- End of Tomcat version override -->
+
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>

From 154b2d564ca07297248ec25fd8db5ea62d2f3aa0 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Feb 2026 11:13:52 +0200
Subject: [PATCH 2/2] Add Security category to release changelog

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/release.yml b/.github/release.yml
index 70852dcbb2..fe88fab0ef 100644
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -19,6 +19,10 @@ changelog:
     labels:
       - Ignore for release
   categories:
+    - title: 'Security'
+      labels:
+        - 'Security'
+
     - title: 'Major Core & Rule Engine'
       labels:
         - 'Major Core'