From 402cf9b5aafd75f11017afcfee263b037feaeeba Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 14:13:01 +0200
Subject: [PATCH 1/8] CVE-2025-49146 postgresql.driver 4.7.5 -> 4.7.7

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0260dc09be..5093c19435 100755
--- a/pom.xml
+++ b/pom.xml
@@ -103,7 +103,7 @@
         <jts.version>1.19.0</jts.version>
         <bouncycastle.version>1.78.1</bouncycastle.version>
         <winsw.version>2.0.1</winsw.version>
-        <postgresql.driver.version>42.7.5</postgresql.driver.version>
+        <postgresql.driver.version>42.7.7</postgresql.driver.version>
         <sonar.exclusions>org/thingsboard/server/gen/**/*,
             org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
         </sonar.exclusions>

From 6e4ee1eb44a049cf401b51c66bf469bf61f721d0 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 14:46:10 +0200
Subject: [PATCH 2/8] CVE-2025-27817 kafka client 3.7.2 -> 3.9.1
 (NetworkReceive.java has no code changes in the Kafka upstream)

---
 .../java/org/apache/kafka/common/network/NetworkReceive.java  | 4 ++--
 pom.xml                                                       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java b/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
index 80192520ca..88a03f5fc8 100644
--- a/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
+++ b/application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
@@ -103,13 +103,13 @@ public class NetworkReceive implements Receive {
                 if (maxSize != UNLIMITED && receiveSize > maxSize) {
                     throw new ThingsboardKafkaClientError("Invalid receive (size = " + receiveSize + " larger than " + maxSize + ")");
                 }
-                requestedBufferSize = receiveSize; //may be 0 for some payloads (SASL)
+                requestedBufferSize = receiveSize; // may be 0 for some payloads (SASL)
                 if (receiveSize == 0) {
                     buffer = EMPTY_BUFFER;
                 }
             }
         }
-        if (buffer == null && requestedBufferSize != -1) { //we know the size we want but havent been able to allocate it yet
+        if (buffer == null && requestedBufferSize != -1) { // we know the size we want but haven't been able to allocate it yet
             if (requestedBufferSize > TB_LOG_REQUESTED_BUFFER_SIZE) {
                 String stackTrace = Arrays.stream(Thread.currentThread().getStackTrace()).map(StackTraceElement::toString).collect(Collectors.joining("|"));
                 log.error("Allocating buffer of size {} for source {}", requestedBufferSize, source);
diff --git a/pom.xml b/pom.xml
index 5093c19435..66b153d63a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -113,7 +113,7 @@
         <!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
         org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
         Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
-        <kafka.version>3.7.2</kafka.version>
+        <kafka.version>3.9.1</kafka.version>
         <bucket4j.version>8.10.1</bucket4j.version>
         <antlr.version>3.5.3</antlr.version>
         <snakeyaml.version>2.2</snakeyaml.version>

From 6a5fd0d45c171a06048c39bb5e2f58a038304627 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:32:44 +0200
Subject: [PATCH 3/8] CVE-2024-12798 logback 1.5.5 -> 1.5.18

---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 66b153d63a..88efe6723f 100755
--- a/pom.xml
+++ b/pom.xml
@@ -52,9 +52,9 @@
         <spring-security.version>6.3.8</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
-        <slf4j.version>2.0.13</slf4j.version>
-        <log4j.version>2.23.1</log4j.version>
-        <logback.version>1.5.5</logback.version>
+        <slf4j.version>2.0.17</slf4j.version>
+        <log4j.version>2.24.3</log4j.version>
+        <logback.version>1.5.18</logback.version>
         <rat.version>0.10</rat.version> <!-- unused -->
         <cassandra.version>4.17.0</cassandra.version>
         <metrics.version>4.2.25</metrics.version>

From 1d1a72d54dd0678fca776f555fa0ed6fda0a8aae Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:35:06 +0200
Subject: [PATCH 4/8] CVE-2024-51504 org.apache.zookeeper:zookeeper@3.9.3

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 88efe6723f..011b1c967b 100755
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,7 @@
         <freemarker.version>2.3.32</freemarker.version>
         <mail.version>2.0.1</mail.version>
         <curator.version>5.6.0</curator.version>
-        <zookeeper.version>3.9.2</zookeeper.version>
+        <zookeeper.version>3.9.3</zookeeper.version>
         <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
         <grpc.version>1.63.0</grpc.version>
         <tbel.version>1.2.6</tbel.version>

From b69460ab01f86edbe81c5aef5f8220dcc1678942 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:42:13 +0200
Subject: [PATCH 5/8] CVE-2025-4949
 org.eclipse.jgit:org.eclipse.jgit@6.10.1.202505221210-r

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 011b1c967b..fd21733bd3 100755
--- a/pom.xml
+++ b/pom.xml
@@ -158,7 +158,7 @@
         <allure-maven.version>2.12.0</allure-maven.version>
 
         <opensmpp.version>3.0.2</opensmpp.version>
-        <jgit.version>6.9.0.202403050737-r</jgit.version>
+        <jgit.version>6.10.1.202505221210-r</jgit.version>
         <exp4j.version>0.4.8</exp4j.version>
         <aerogear-otp.version>1.0.0</aerogear-otp.version>
 

From 14b3df350260142f856f0e62a1974e92dff981e7 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:44:51 +0200
Subject: [PATCH 6/8] CVE-2025-46701
 org.apache.tomcat.embed:tomcat-embed-core@10.1.42

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index fd21733bd3..94cdff0e9f 100755
--- a/pom.xml
+++ b/pom.xml
@@ -42,7 +42,7 @@
         <jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
         <jaxb-runtime.version>4.0.5</jaxb-runtime.version>
-        <tomcat.version>10.1.40</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
+        <tomcat.version>10.1.42</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
         <net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version-->
         <spring-boot.version>3.2.12</spring-boot.version>
         <spring-data.version>3.2.12</spring-data.version>

From 56da48e2075743f212ec4613f07e90fa07eee6ef Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 15:49:47 +0200
Subject: [PATCH 7/8] CVE-2025-41234 org.springframework:spring-web@6.1.15 ->
 org.springframework:spring-web@6.1.21

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 94cdff0e9f..f38ed581a1 100755
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,7 @@
         <spring-boot.version>3.2.12</spring-boot.version>
         <spring-data.version>3.2.12</spring-data.version>
         <spring-data-redis.version>3.2.12</spring-data-redis.version>
-        <spring.version>6.1.15</spring.version>
+        <spring.version>6.1.21</spring.version>
         <spring-redis.version>6.2.11</spring-redis.version>
         <spring-security.version>6.3.8</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
@@ -1173,7 +1173,7 @@
             <!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
             <dependency>
                 <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-starter</artifactId>
+                    <artifactId>spring-boot-starter</artifactId>
                 <version>${spring-boot.version}</version>
             </dependency>
             <dependency>

From a39547ddeedef581aad8cd57870c41b5dd224ee3 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 13 Jun 2025 16:08:11 +0200
Subject: [PATCH 8/8] CVE-2025-22234
 org.springframework.security:spring-security-crypto@6.3.9

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f38ed581a1..3e0a67ab0d 100755
--- a/pom.xml
+++ b/pom.xml
@@ -49,7 +49,7 @@
         <spring-data-redis.version>3.2.12</spring-data-redis.version>
         <spring.version>6.1.21</spring.version>
         <spring-redis.version>6.2.11</spring-redis.version>
-        <spring-security.version>6.3.8</spring-security.version>
+        <spring-security.version>6.3.9</spring-security.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
         <slf4j.version>2.0.17</slf4j.version>