Merge pull request #15598 from thingsboard/fix/cves-lts-4.2

Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587
3 weeks ago · d8115cd40a
1 changed files with 10 additions and 0 deletions
--- a/pom.xml
+++ b/pom.xml
@ -69,6 +69,7 @@
        <spring-boot-test.version>3.5.13</spring-boot-test.version>
        <commons-lang3.version>3.18.0</commons-lang3.version> <!-- to fix CVE-2025-48924. TODO: remove when fixed in spring-boot-dependencies -->
        <postgresql.version>42.7.11</postgresql.version> <!-- to fix CVE-2026-42198. TODO: remove when fixed in spring-boot-dependencies -->
+        <netty.version>4.1.133.Final</netty.version> <!-- to fix CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587. TODO: remove when fixed in spring-boot-dependencies -->
        <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
        <jjwt.version>0.12.5</jjwt.version>
        <rat.version>0.10</rat.version> <!-- unused -->
@ -1006,6 +1007,15 @@

    <dependencyManagement>
        <dependencies>
+            <!-- Temporary netty-bom version override -->
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <!-- End of netty-bom version override -->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>