diff --git a/build.gradle b/build.gradle index 8c7c36b0ed..92e9976b6d 100644 --- a/build.gradle +++ b/build.gradle @@ -248,6 +248,8 @@ allprojects { // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpcore:${httpcoreVersion}" force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}" + // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3) + force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}" // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpclient:${httpclientVersion}" force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}" diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 4c5e10925c..cc31a5443f 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -438,14 +438,15 @@ CVE-2025-15104 ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ CVE-2026-54399 + CVE-2026-54428