Skip to content

Commit 6370f22

Browse files
dbyron-sfdbyron-sf
authored
chore(deps): use version 9.0.62 of tomcat to resolve CVE-2021-43980, CVE-2022-23181, CVE-2022-42252 (spinnaker#997)
Here's a snippet of ./gradlew kork-tomcat:dependencies before this change: +--- org.springframework.boot:spring-boot-starter-tomcat:2.4.13 | +--- jakarta.annotation:jakarta.annotation-api:1.3.5 | +--- org.apache.tomcat.embed:tomcat-embed-core:9.0.55 | +--- org.glassfish:jakarta.el:3.0.4 | \--- org.apache.tomcat.embed:tomcat-embed-websocket:9.0.55 | \--- org.apache.tomcat.embed:tomcat-embed-core:9.0.55 +--- org.springframework:spring-web:5.3.13 (*) with this change: +--- org.springframework.boot:spring-boot-starter-tomcat:2.4.13 | +--- jakarta.annotation:jakarta.annotation-api:1.3.5 | +--- org.apache.tomcat.embed:tomcat-embed-core:9.0.55 -> 9.0.62 | +--- org.glassfish:jakarta.el:3.0.4 | \--- org.apache.tomcat.embed:tomcat-embed-websocket:9.0.55 -> 9.0.62 | \--- org.apache.tomcat.embed:tomcat-embed-core:9.0.62
1 parent c2aabe6 commit 6370f22

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

spinnaker-dependencies/spinnaker-dependencies.gradle

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,10 @@ ext {
2828
springCloud : "2020.0.5",
2929
springfoxSwagger : "2.9.2",
3030
swagger : "1.5.20", //this should stay in sync with what springfoxSwagger expects
31-
// spring boot 2.4.13 brings in 9.0.55, but leave this here to simplify fixing future CVEs.
32-
tomcat : "9.0.55"
31+
// spring boot 2.4.13 brings in 9.0.55. Use 9.0.62 to resolve
32+
// CVE-2021-43980, CVE-2022-23181, CVE-2022-42252. Spring boot 2.5.14
33+
// brings in 9.0.63.
34+
tomcat : "9.0.62"
3335
]
3436
}
3537

0 commit comments

Comments
 (0)