From d1227517e64bd8251f94994db38bdd59124c42d5 Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Wed, 8 Jul 2026 12:45:32 -0700 Subject: [PATCH] Update Tomcat, HttpCore5, Jackson for OWASP CVE remediation --- dependencyCheckSuppression.xml | 21 ++++++++++++++++++++- gradle.properties | 10 +++++----- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 0fe1a5999d..36cd5c494d 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -327,5 +327,24 @@ ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ CVE-2026-53914 - + + + + ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ + CVE-2026-54399 + + + + + ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ + CVE-2026-53914 + diff --git a/gradle.properties b/gradle.properties index 60f1759e85..54eb1f3095 100644 --- a/gradle.properties +++ b/gradle.properties @@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7 apacheMinaVersion=2.2.7 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) -apacheTomcatVersion=11.0.22 +apacheTomcatVersion=11.0.23 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -186,7 +186,7 @@ hamcrestVersion=2.2 htsjdkVersion=4.3.0 httpclient5Version=5.5.2 -httpcore5Version=5.4 +httpcore5Version=5.4.3 # Not used directly, but these are widely used transitive dependencies httpclientVersion=4.5.14 @@ -195,9 +195,9 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.4 -jacksonDatabindVersion=2.21.4 -jacksonJaxrsBaseVersion=2.21.4 +jacksonVersion=2.21.5 +jacksonDatabindVersion=2.21.5 +jacksonJaxrsBaseVersion=2.21.5 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21