From 513566bd7b666f9712c555d1ddf5c6f46c92f2c9 Mon Sep 17 00:00:00 2001
From: Andrii Shvaika <ashvayka@thingsboard.io>
Date: Fri, 23 May 2025 11:13:18 +0300
Subject: [PATCH 1/9] Docker file improvements to support installation without
 mounting the configuration folder

(cherry picked from commit a6997cb4a1e61ebae64ab05a63d8dff4b6f0dded)
---
 msa/tb-node/docker/Dockerfile       |  4 ++-
 msa/tb-node/docker/logback.xml      | 38 +++++++++++++++++++++++++++++
 msa/tb-node/docker/start-tb-node.sh | 18 ++++++++------
 3 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 msa/tb-node/docker/logback.xml

diff --git a/msa/tb-node/docker/Dockerfile b/msa/tb-node/docker/Dockerfile
index dfca56acc7..013a37ef9c 100644
--- a/msa/tb-node/docker/Dockerfile
+++ b/msa/tb-node/docker/Dockerfile
@@ -16,12 +16,14 @@
 
 FROM thingsboard/openjdk17:bookworm-slim
 
-COPY start-tb-node.sh ${pkg.name}.deb /tmp/
+COPY logback.xml start-tb-node.sh ${pkg.name}.deb /tmp/
 
 RUN chmod a+x /tmp/*.sh \
     && mv /tmp/start-tb-node.sh /usr/bin && \
     (yes | dpkg -i /tmp/${pkg.name}.deb) && \
     rm /tmp/${pkg.name}.deb && \
+    mv /tmp/logback.xml ${pkg.installFolder}/conf && \
+    chown -R ${pkg.user}:${pkg.user} ${pkg.installFolder}/conf/logback.xml && \
     (systemctl --no-reload disable --now ${pkg.name}.service > /dev/null 2>&1 || :) && \
     chown -R ${pkg.user}:${pkg.user} /tmp && \
     chmod 555 ${pkg.installFolder}/bin/${pkg.name}.jar
diff --git a/msa/tb-node/docker/logback.xml b/msa/tb-node/docker/logback.xml
new file mode 100644
index 0000000000..269cb89396
--- /dev/null
+++ b/msa/tb-node/docker/logback.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+
+    Copyright © 2016-2025 The Thingsboard Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<!DOCTYPE configuration>
+<configuration scan="true" scanPeriod="10 seconds">
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{ISO8601} [%thread] %-5level %logger{36} - %msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <logger name="org.thingsboard.server" level="INFO" />
+    <logger name="com.google.common.util.concurrent.AggregateFuture" level="OFF" />
+    <logger name="org.apache.kafka.common.utils.AppInfoParser" level="WARN"/>
+    <logger name="org.apache.kafka.clients" level="WARN"/>
+    <logger name="com.microsoft.azure.servicebus.primitives.CoreMessageReceiver" level="OFF" />
+
+    <root level="INFO">
+        <appender-ref ref="STDOUT"/>
+    </root>
+
+</configuration>
diff --git a/msa/tb-node/docker/start-tb-node.sh b/msa/tb-node/docker/start-tb-node.sh
index 7de30564c9..77221398be 100755
--- a/msa/tb-node/docker/start-tb-node.sh
+++ b/msa/tb-node/docker/start-tb-node.sh
@@ -15,14 +15,21 @@
 # limitations under the License.
 #
 
-CONF_FOLDER="/config"
 jarfile=${pkg.installFolder}/bin/${pkg.name}.jar
 configfile=${pkg.name}.conf
 run_user=${pkg.user}
 
-source "${CONF_FOLDER}/${configfile}"
+CONF_FOLDER="/config"
+if [ -d "${CONF_FOLDER}" ]; then
+  LOGGING_CONFIG="${CONF_FOLDER}/logback.xml"
+  source "${CONF_FOLDER}/${configfile}"
+  export LOADER_PATH=${CONF_FOLDER},${LOADER_PATH}
+else
+  CONF_FOLDER="/usr/share/${pkg.name}/conf"
+  LOGGING_CONFIG="/usr/share/${pkg.name}/conf/logback.xml"
+  source "${CONF_FOLDER}/${configfile}"
+fi
 
-export LOADER_PATH=/config,${LOADER_PATH}
 
 cd ${pkg.installFolder}/bin
 
@@ -38,7 +45,6 @@ if [ "$INSTALL_TB" == "true" ]; then
 
     exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.ThingsboardInstallApplication \
                         -Dinstall.load_demo=${loadDemo} \
-                        -Dspring.jpa.hibernate.ddl-auto=none \
                         -Dinstall.upgrade=false \
                         -Dlogging.config=/usr/share/thingsboard/bin/install/logback.xml \
                         org.springframework.boot.loader.launch.PropertiesLauncher
@@ -51,7 +57,6 @@ elif [ "$UPGRADE_TB" == "true" ]; then
     fromVersion="${FROM_VERSION// }"
 
     exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.ThingsboardInstallApplication \
-                    -Dspring.jpa.hibernate.ddl-auto=none \
                     -Dinstall.upgrade=true \
                     -Dinstall.upgrade.from_version=${fromVersion} \
                     -Dlogging.config=/usr/share/thingsboard/bin/install/logback.xml \
@@ -62,8 +67,7 @@ else
     echo "Starting '${project.name}' ..."
 
     exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.ThingsboardServerApplication \
-                        -Dspring.jpa.hibernate.ddl-auto=none \
-                        -Dlogging.config=/config/logback.xml \
+                        -Dlogging.config=${LOGGING_CONFIG} \
                         org.springframework.boot.loader.launch.PropertiesLauncher
 
 fi

From 402cf9b5aafd75f11017afcfee263b037feaeeba Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 14:13:01 +0200
Subject: [PATCH 2/9] CVE-2025-49146 postgresql.driver 4.7.5 -> 4.7.7

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0260dc09be..5093c19435 100755
--- a/pom.xml
+++ b/pom.xml
@@ -103,7 +103,7 @@
         <jts.version>1.19.0</jts.version>
         <bouncycastle.version>1.78.1</bouncycastle.version>
         <winsw.version>2.0.1</winsw.version>
-        <postgresql.driver.version>42.7.5</postgresql.driver.version>
+        <postgresql.driver.version>42.7.7</postgresql.driver.version>
         <sonar.exclusions>org/thingsboard/server/gen/**/*,
             org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
         </sonar.exclusions>

From 6e4ee1eb44a049cf401b51c66bf469bf61f721d0 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 14:46:10 +0200
Subject: [PATCH 3/9] CVE-2025-27817 kafka client 3.7.2 -> 3.9.1
 (NetworkReceive.java has no code changes in the Kafka upstream)

---
 .../java/org/apache/kafka/common/network/NetworkReceive.java  | 4 ++--
 pom.xml                                                       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java b/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
index 80192520ca..88a03f5fc8 100644
--- a/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
+++ b/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
@@ -103,13 +103,13 @@ public class NetworkReceive implements Receive {
                 if (maxSize != UNLIMITED && receiveSize > maxSize) {
                     throw new ThingsboardKafkaClientError("Invalid receive (size = " + receiveSize + " larger than " + maxSize + ")");
                 }
-                requestedBufferSize = receiveSize; //may be 0 for some payloads (SASL)
+                requestedBufferSize = receiveSize; // may be 0 for some payloads (SASL)
                 if (receiveSize == 0) {
                     buffer = EMPTY_BUFFER;
                 }
             }
         }
-        if (buffer == null && requestedBufferSize != -1) { //we know the size we want but havent been able to allocate it yet
+        if (buffer == null && requestedBufferSize != -1) { // we know the size we want but haven't been able to allocate it yet
             if (requestedBufferSize > TB_LOG_REQUESTED_BUFFER_SIZE) {
                 String stackTrace = Arrays.stream(Thread.currentThread().getStackTrace()).map(StackTraceElement::toString).collect(Collectors.joining("|"));
                 log.error("Allocating buffer of size {} for source {}", requestedBufferSize, source);
diff --git a/pom.xml b/pom.xml
index 5093c19435..66b153d63a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -113,7 +113,7 @@
         <!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
         org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
         Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
-        <kafka.version>3.7.2</kafka.version>
+        <kafka.version>3.9.1</kafka.version>
         <bucket4j.version>8.10.1</bucket4j.version>
         <antlr.version>3.5.3</antlr.version>
         <snakeyaml.version>2.2</snakeyaml.version>

From 6a5fd0d45c171a06048c39bb5e2f58a038304627 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:32:44 +0200
Subject: [PATCH 4/9] CVE-2024-12798 logback 1.5.5 -> 1.5.18

---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 66b153d63a..88efe6723f 100755
--- a/pom.xml
+++ b/pom.xml
@@ -52,9 +52,9 @@
         <spring-security.version>6.3.8</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
-        <slf4j.version>2.0.13</slf4j.version>
-        <log4j.version>2.23.1</log4j.version>
-        <logback.version>1.5.5</logback.version>
+        <slf4j.version>2.0.17</slf4j.version>
+        <log4j.version>2.24.3</log4j.version>
+        <logback.version>1.5.18</logback.version>
         <rat.version>0.10</rat.version> <!-- unused -->
         <cassandra.version>4.17.0</cassandra.version>
         <metrics.version>4.2.25</metrics.version>

From 1d1a72d54dd0678fca776f555fa0ed6fda0a8aae Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:35:06 +0200
Subject: [PATCH 5/9] CVE-2024-51504 org.apache.zookeeper:zookeeper@3.9.3

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 88efe6723f..011b1c967b 100755
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,7 @@
         <freemarker.version>2.3.32</freemarker.version>
         <mail.version>2.0.1</mail.version>
         <curator.version>5.6.0</curator.version>
-        <zookeeper.version>3.9.2</zookeeper.version>
+        <zookeeper.version>3.9.3</zookeeper.version>
         <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
         <grpc.version>1.63.0</grpc.version>
         <tbel.version>1.2.6</tbel.version>

From b69460ab01f86edbe81c5aef5f8220dcc1678942 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:42:13 +0200
Subject: [PATCH 6/9] CVE-2025-4949
 org.eclipse.jgit:org.eclipse.jgit@6.10.1.202505221210-r

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 011b1c967b..fd21733bd3 100755
--- a/pom.xml
+++ b/pom.xml
@@ -158,7 +158,7 @@
         <allure-maven.version>2.12.0</allure-maven.version>
 
         <opensmpp.version>3.0.2</opensmpp.version>
-        <jgit.version>6.9.0.202403050737-r</jgit.version>
+        <jgit.version>6.10.1.202505221210-r</jgit.version>
         <exp4j.version>0.4.8</exp4j.version>
         <aerogear-otp.version>1.0.0</aerogear-otp.version>
 

From 14b3df350260142f856f0e62a1974e92dff981e7 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:44:51 +0200
Subject: [PATCH 7/9] CVE-2025-46701
 org.apache.tomcat.embed:tomcat-embed-core@10.1.42

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index fd21733bd3..94cdff0e9f 100755
--- a/pom.xml
+++ b/pom.xml
@@ -42,7 +42,7 @@
         <jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
         <jaxb-runtime.version>4.0.5</jaxb-runtime.version>
-        <tomcat.version>10.1.40</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
+        <tomcat.version>10.1.42</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
         <net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version-->
         <spring-boot.version>3.2.12</spring-boot.version>
         <spring-data.version>3.2.12</spring-data.version>

From 56da48e2075743f212ec4613f07e90fa07eee6ef Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:49:47 +0200
Subject: [PATCH 8/9] CVE-2025-41234 org.springframework:spring-web@6.1.15 ->
 org.springframework:spring-web@6.1.21

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 94cdff0e9f..f38ed581a1 100755
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,7 @@
         <spring-boot.version>3.2.12</spring-boot.version>
         <spring-data.version>3.2.12</spring-data.version>
         <spring-data-redis.version>3.2.12</spring-data-redis.version>
-        <spring.version>6.1.15</spring.version>
+        <spring.version>6.1.21</spring.version>
         <spring-redis.version>6.2.11</spring-redis.version>
         <spring-security.version>6.3.8</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
@@ -1173,7 +1173,7 @@
             <!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
             <dependency>
                 <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-starter</artifactId>
+                    <artifactId>spring-boot-starter</artifactId>
                 <version>${spring-boot.version}</version>
             </dependency>
             <dependency>

From a39547ddeedef581aad8cd57870c41b5dd224ee3 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 16:08:11 +0200
Subject: [PATCH 9/9] CVE-2025-22234
 org.springframework.security:spring-security-crypto@6.3.9

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f38ed581a1..3e0a67ab0d 100755
--- a/pom.xml
+++ b/pom.xml
@@ -49,7 +49,7 @@
         <spring-data-redis.version>3.2.12</spring-data-redis.version>
         <spring.version>6.1.21</spring.version>
         <spring-redis.version>6.2.11</spring-redis.version>
-        <spring-security.version>6.3.8</spring-security.version>
+        <spring-security.version>6.3.9</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
         <slf4j.version>2.0.17</slf4j.version>