From 133bbc3b9d955413d0969ab04e5710c5687e31cc Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Thu, 9 Jul 2026 14:34:32 -0700 Subject: [PATCH] Port OWASP CVE remediations to 26.3: httpcore5-h2 5.4.3, pg driver 42.7.12 Ports the httpcore5-h2 and pgjdbc fixes from develop (fb_owasp_cves_20260709) onto the 26.3 release branch. Force org.apache.httpcomponents.core5:httpcore5-h2 to httpcore5Version (5.4.3) so the transitive 5.3.6 is upgraded past the vulnerable 5.4.2 ceiling, clearing CVE-2026-54399 (HTTP/1.1 parser DoS) and CVE-2026-54428 (HTTP/2 HPACK decoder DoS). Bump postgresqlDriverVersion 42.7.11 -> 42.7.12 for CVE-2026-54291, a channel-binding downgrade in pgjdbc 42.7.4-42.7.11 that silently drops SCRAM-SHA-256-PLUS MITM protection (fixed in 42.7.12). Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x artifact, which has no HTTP/2 module and is not affected. Shaded copies of these libraries originate from labkey-api-jdbc and are addressed separately. --- build.gradle | 2 ++ dependencyCheckSuppression.xml | 6 +++--- gradle.properties | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 43d3040ee6..6317a82efd 100644 --- a/build.gradle +++ b/build.gradle @@ -245,6 +245,8 @@ allprojects { // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpcore:${httpcoreVersion}" force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}" + // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3) + force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}" // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpclient:${httpclientVersion}" force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}" diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 36cd5c494d..83a4d7b1eb 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -328,14 +328,14 @@ CVE-2026-53914 + CVE-2026-54399 (httpcore5 HTTP/1.1 parser) and CVE-2026-54428 (httpcore5-h2 HTTP/2 HPACK decoder) are both scoped to Apache HttpComponents Core 5.x only. The classic httpcore 4.x line (org.apache.httpcomponents:httpcore) is EOL, has no HTTP/2 module, is not listed as affected, and has no fixed 4.4.x release. False positives for the 4.x artifact. --> ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ CVE-2026-54399 + CVE-2026-54428