From 24136772c42ce5871babcc789ee34909a6f94d8c Mon Sep 17 00:00:00 2001
From: shreyeep <169047851+shreyeep@users.noreply.github.com>
Date: Fri, 2 Aug 2024 09:33:14 +0530
Subject: [PATCH] [7.67.x blue] Spring/SpringBoot upgrade to address CVEs in
 transitive dependencies (#2468)

* CVE-2023-34462 Upgrade netty-handler

* Spring/SpringBoot upgrade to address CVEs in transitive dependencies

* Revert "CVE-2023-34462 Upgrade netty-handler"

This reverts commit f724de81b271a570cd3459c263d6ce871420657c.

* Spring/SpringBoot upgrade to address CVEs in transitive dependencies

* Updated versions

* Added tomcat version

* Update pom.xml

---------

Co-authored-by: Abhishek Kumar <19465051+akumar074@users.noreply.github.com>
---
 narayana-integration-bom/pom.xml | 2 +-
 pom.xml                          | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/narayana-integration-bom/pom.xml b/narayana-integration-bom/pom.xml
index 0e46b3b90e8..08b9e198f14 100644
--- a/narayana-integration-bom/pom.xml
+++ b/narayana-integration-bom/pom.xml
@@ -24,7 +24,7 @@
     <!-- narayana dependencies for tomcat and kie server -->
     <version.org.jboss.narayana.tomcat>5.9.0.Final</version.org.jboss.narayana.tomcat>
     <!-- DBCP connection pooling for Narayana -->
-    <version.org.apache.tomcat.tomcat-dbcp>9.0.83</version.org.apache.tomcat.tomcat-dbcp>
+    <version.org.apache.tomcat.tomcat-dbcp>9.0.86</version.org.apache.tomcat.tomcat-dbcp>
 
     <version.org.jboss.transaction.spi>7.6.1.Final</version.org.jboss.transaction.spi>
     <version.jakarta.transaction-api>1.3.3</version.jakarta.transaction-api>
diff --git a/pom.xml b/pom.xml
index e5e3d11f1b8..5fc476c21ef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -153,7 +153,7 @@
     <version.org.apache.neethi>3.1.1</version.org.apache.neethi>
     <version.org.apache.poi>4.1.2</version.org.apache.poi>
     <version.org.apache.sshd>2.9.2</version.org.apache.sshd>
-    <version.org.apache.tomcat>9.0.83</version.org.apache.tomcat>
+    <version.org.apache.tomcat>9.0.86</version.org.apache.tomcat>
     <version.org.apache.velocity>2.3</version.org.apache.velocity>
     <version.org.apache.xmlbeans>3.1.0</version.org.apache.xmlbeans>
     <version.org.apache.ws.xmlschema>2.2.5</version.org.apache.ws.xmlschema>
@@ -262,9 +262,12 @@
     <version.org.sonatype.plexus.plexus-sec-dispatcher>2.0</version.org.sonatype.plexus.plexus-sec-dispatcher>
     <version.org.sonatype.sisu>2.3.0</version.org.sonatype.sisu>
     <version.org.sonatype.sisu.sisu-guice>3.2.3</version.org.sonatype.sisu.sisu-guice>
-    <version.org.springframework>5.3.27</version.org.springframework>
-    <version.org.springframework.boot>2.5.15</version.org.springframework.boot>
+    <version.org.springframework>5.3.34</version.org.springframework>
+    <version.org.springframework.boot>2.7.18</version.org.springframework.boot>
     <version.org.springframework.osgi>1.2.1</version.org.springframework.osgi>
+    <!-- spring-security.version and tomcat.version overrides version from spring-boot-dependencies bom -->
+    <spring-security.version>5.7.12</spring-security.version>
+    <tomcat.version>9.0.86</tomcat.version>
     <version.org.subethamail>1.2</version.org.subethamail>
     <version.org.subethamail.subethasmtp>3.1.6</version.org.subethamail.subethasmtp>
     <version.org.testcontainers>1.15.2</version.org.testcontainers>