Skip to content

Commit c189292

Browse files
committed
Upgrade to Spring Boot 3.5.15 to fix Netty and Spring CVEs
3.5.15 ships Netty 4.1.135.Final (fixes CVE-2026-42582 and 18 additional Netty CVEs) and Spring Framework 6.2.19 (fixes CVE-2026-41840 through CVE-2026-41851). Also ships Tomcat 10.1.55 so the explicit overrides for Netty and Tomcat are no longer needed. Reverts the CVE suppressions added in the previous commit.
1 parent 3e73308 commit c189292

2 files changed

Lines changed: 1 addition & 30 deletions

File tree

allow-list.xml

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -39,26 +39,4 @@
3939
<vulnerabilityName>GHSA-7rx3-28cr-v5wh</vulnerabilityName>
4040
<vulnerabilityName>GHSA-442j-39wm-28r2</vulnerabilityName>
4141
</suppress>
42-
<suppress>
43-
<notes><![CDATA[
44-
CVE-2026-42582 affects Netty 4.1.134.Final. No fixed release available yet.
45-
Tracked for resolution via a dependency upgrade PR.
46-
]]></notes>
47-
<packageUrl regex="true">^pkg:maven/io\.netty/.*@.*$</packageUrl>
48-
<cve>CVE-2026-42582</cve>
49-
</suppress>
50-
<suppress>
51-
<notes><![CDATA[
52-
CVE-2026-41840 through CVE-2026-41851 affect Spring Framework 6.2.18, pulled in via
53-
spring-boot-dependencies:3.5.14. No fixed Spring Boot 3.5.x release available yet.
54-
Tracked for resolution via a dependency upgrade PR.
55-
]]></notes>
56-
<packageUrl regex="true">^pkg:maven/org\.springframework/.*@.*$</packageUrl>
57-
<cve>CVE-2026-41840</cve>
58-
<cve>CVE-2026-41841</cve>
59-
<cve>CVE-2026-41842</cve>
60-
<cve>CVE-2026-41843</cve>
61-
<cve>CVE-2026-41850</cve>
62-
<cve>CVE-2026-41851</cve>
63-
</suppress>
6442
</suppressions>

symphony-bdk-bom/build.gradle

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -16,15 +16,13 @@ repositories {
1616

1717
dependencies {
1818
// import Spring Boot's BOM
19-
api platform('org.springframework.boot:spring-boot-dependencies:3.5.14')
19+
api platform('org.springframework.boot:spring-boot-dependencies:3.5.15')
2020
// import Jackson's BOM
2121
api platform('com.fasterxml.jackson:jackson-bom:2.18.2')
2222
// import Jersey's BOM
2323
api platform('org.glassfish.jersey:jersey-bom:3.1.9')
2424
// import Log4j's BOM
2525
api platform('org.apache.logging.log4j:log4j-bom:2.26.0')
26-
// override Netty (Spring Boot 3.5.14 ships 4.1.132 which is still vulnerable to CVE-2026-41417)
27-
api platform('io.netty:netty-bom:4.1.134.Final')
2826

2927
// define all our dependencies versions
3028
constraints {
@@ -45,11 +43,6 @@ dependencies {
4543

4644
// External dependencies
4745

48-
// override Tomcat (Spring Boot 3.5.14 ships 10.1.54 which is vulnerable to multiple CVEs)
49-
api 'org.apache.tomcat.embed:tomcat-embed-core:10.1.55'
50-
api 'org.apache.tomcat.embed:tomcat-embed-el:10.1.55'
51-
api 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.55'
52-
5346
api 'org.apiguardian:apiguardian-api:1.1.2'
5447

5548
api 'org.slf4j:slf4j-api:2.0.9'

0 commit comments

Comments
 (0)