Skip to content

bump spring for CVE-2026-24734 (tomcat is already correct for this spring version)#1290

Open
labkey-willm wants to merge 1 commit intodevelopfrom
fb_fix_CVE-2026-24734
Open

bump spring for CVE-2026-24734 (tomcat is already correct for this spring version)#1290
labkey-willm wants to merge 1 commit intodevelopfrom
fb_fix_CVE-2026-24734

Conversation

@labkey-willm
Copy link
Contributor

@labkey-willm labkey-willm commented Feb 19, 2026
edited
Loading

Rationale

bump spring for CVE-2026-24734 (tomcat is already correct for this spring version)

this PR is on hold until spring AI is updated to pull the patched version of spring framework, as 2.0.0-M2 is currently pulling 4.0.1 which pulls tomcat 11.0.15

org.apache.tomcat.embed:tomcat-embed-core:11.0.15
+--- org.apache.tomcat.embed:tomcat-embed-websocket:11.0.15
|    \--- org.springframework.boot:spring-boot-starter-tomcat-runtime:4.0.1
|         \--- org.springframework.boot:spring-boot-starter-tomcat:4.0.1
|              \--- org.springframework.boot:spring-boot-starter-web:4.0.1
|                   \--- org.springframework.ai:spring-ai-starter-mcp-server-webmvc:2.0.0-M2
|                        \--- external
+--- org.springframework.boot:spring-boot-starter-tomcat-runtime:4.0.1 (*)
\--- org.springframework.boot:spring-boot-tomcat:4.0.1
     +--- org.springframework.boot:spring-boot-starter-tomcat:4.0.1 (*)
     \--- org.springframework.boot:spring-boot-starter-tomcat-runtime:4.0.1 (*)

Related Pull Requests

Changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@labkey-willm

Comments