Pin Tomcat version (#105)

Signed-off-by: Andrew Berezovskyi <andriib@kth.se>
eclipse · Jun 7, 2021 · 3363977 · 3363977
1 parent fce9bf5
commit 3363977
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,8 +10,9 @@
 - Update Kotlin from 1.4.20 to 1.5.10  
 - Lyo Validation returns more messages in the reports. _Make sure your code logic scans all messages the report if you are looking for a specific error._
 - Update Eclipse Paho from 1.2.1 to 1.2.5 due to a potential security vulnerability.
-- Force libthrift from 0.13.0 to 0.14.1 due to a [vulnerability](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETHRIFT-1074898).
-- Force httpclient to 4.5.13 due to a [vulnerability](https://github.com/eclipse/lyo/pull/103).
+- Pin libthrift version to 0.14.1 due to a [vulnerability](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETHRIFT-1074898).
+- Pin httpclient version to 4.5.13 due to a [vulnerability](https://github.com/eclipse/lyo/pull/103).
+- Pin embedded Tomcat version (pulled in by Jena) to 8.5.66 due to [CVE-2021-25329](https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-1080637)
 
 ### Deprecated
 

diff --git a/pom.xml b/pom.xml
@@ -364,6 +364,12 @@
           <artifactId>httpclient</artifactId>
           <version>4.5.13</version>
       </dependency>
+      <!-- https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-1080637 -->
+      <dependency>
+          <groupId>org.apache.tomcat.embed</groupId>
+          <artifactId>tomcat-embed-core</artifactId>
+          <version>8.5.66</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>