Skip to content

Port OWASP CVE remediations to 26.3: httpcore5-h2 5.4.3, pg driver 42.7.12#1442

Merged
labkey-willm merged 1 commit into
release26.3-SNAPSHOTfrom
26.3_fb_owasp_cves_20260709
Jul 10, 2026
Merged

Port OWASP CVE remediations to 26.3: httpcore5-h2 5.4.3, pg driver 42.7.12#1442
labkey-willm merged 1 commit into
release26.3-SNAPSHOTfrom
26.3_fb_owasp_cves_20260709

Conversation

@labkey-willm

Copy link
Copy Markdown
Contributor

Rationale

Ports the OWASP dependency-check CVE remediations from develop (PR #1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The 26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2 resolving transitively to 5.3.6) and additionally CVE-2026-54291 (postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade fixed in 42.7.12; develop was already on 42.7.12).

Related Pull Requests

Changes

  • Force org.apache.httpcomponents.core5:httpcore5-h2 to httpcore5Version (5.4.3), upgrading the transitive 5.3.6 past the vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428).
  • Bump postgresqlDriverVersion 42.7.11 -> 42.7.12 (CVE-2026-54291).
  • Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x artifact.

Note on shaded copies

Shaded copies of these http5 libraries originate from labkey-api-jdbc and are addressed separately.

….7.12

Ports the httpcore5-h2 and pgjdbc fixes from develop (fb_owasp_cves_20260709) onto the 26.3 release branch. Force org.apache.httpcomponents.core5:httpcore5-h2 to httpcore5Version (5.4.3) so the transitive 5.3.6 is upgraded past the vulnerable 5.4.2 ceiling, clearing CVE-2026-54399 (HTTP/1.1 parser DoS) and CVE-2026-54428 (HTTP/2 HPACK decoder DoS). Bump postgresqlDriverVersion 42.7.11 -> 42.7.12 for CVE-2026-54291, a channel-binding downgrade in pgjdbc 42.7.4-42.7.11 that silently drops SCRAM-SHA-256-PLUS MITM protection (fixed in 42.7.12). Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x artifact, which has no HTTP/2 module and is not affected.

Shaded copies of these libraries originate from labkey-api-jdbc and are addressed separately.
@labkey-willm labkey-willm requested a review from labkey-adam July 9, 2026 21:44
@labkey-willm labkey-willm merged commit 281b17d into release26.3-SNAPSHOT Jul 10, 2026
9 of 10 checks passed
@labkey-willm labkey-willm deleted the 26.3_fb_owasp_cves_20260709 branch July 10, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants