From 688dde4aa628672abd5444b0d77225c764f53ed4 Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Wed, 11 Oct 2023 15:35:57 -0700
Subject: [PATCH 1/4] force netty to 4.1.100.Final for CVE CVE-2023-4586 (#587)

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index dc6a4a996e..ab28ace1ba 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -237,7 +237,7 @@ mysqlDriverVersion=8.0.33
 mssqlJdbcVersion=12.2.0.jre11
 
 # forced compatibility between docker and UserReg-WS
-nettyVersion=4.1.94.Final
+nettyVersion=4.1.100.Final
 
 objenesisVersion=1.0
 

From 6588fe09d42952d18b812d305b0d37fb93bd11dd Mon Sep 17 00:00:00 2001
From: Trey Chadick <tchad@labkey.com>
Date: Thu, 12 Oct 2023 16:16:06 -0700
Subject: [PATCH 2/4] Only use hitachivantara maven repository for relevant
 artifacts (#589)

---
 build.gradle | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index d91a25b770..ecdf7f5ec5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -157,9 +157,13 @@ allprojects {
                     maven {
                         // Mondrian dependencies are available via this repository. It's a direct dependency of the Query
                         // module but is declared here as many modules depend on Query and therefore need it as well.
-                    	url "https://repo.orl.eng.hitachivantara.com/artifactory/pnt-mvn"
+                        url "https://repo.orl.eng.hitachivantara.com/artifactory/pnt-mvn"
                         content {
-                            excludeGroupByRegex "org\\.labkey.*"
+                            includeGroup "pentaho"
+                            includeGroup "org.pentaho"
+                            includeGroup "org.olap4j"
+                            includeGroup "javacup"
+                            includeGroup "eigenbase"
                         }
                     }
                 }

From 12379b6d313ec9daaeca406eff85aa4b1b1f4792 Mon Sep 17 00:00:00 2001
From: Josh Eckels <jeckels@labkey.com>
Date: Tue, 17 Oct 2023 13:04:31 -0700
Subject: [PATCH 3/4] Adopt Tomcat 9.0.82 (#591)

---
 gradle.properties            |  4 ++--
 server/embedded/build.gradle | 29 ++++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index 2c64884548..4917c122e0 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -103,7 +103,7 @@ apacheDirectoryVersion=2.1.3
 apacheMinaVersion=2.2.1
 
 # Keep in sync with springBootTomcatVersion below
-apacheTomcatVersion=9.0.80
+apacheTomcatVersion=9.0.82
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -285,7 +285,7 @@ snappyJavaVersion=1.1.10.4
 springBootVersion=2.7.16
 # This MUST match the Tomcat version dictated by springBootVersion
 # Also, keep this in sync with apacheTomcatVersion above
-springBootTomcatVersion=9.0.80
+springBootTomcatVersion=9.0.82
 
 springVersion=5.3.28
 
diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle
index e39751bd2a..62a1526320 100644
--- a/server/embedded/build.gradle
+++ b/server/embedded/build.gradle
@@ -31,7 +31,34 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-web:${springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-actuator:${springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-validation:${springBootVersion}"
-    
+
+    // Force to the latest Tomcat version until Spring Boot 2.7.17 is released and we can adopt it
+    implementation('org.apache.tomcat.embed:tomcat-embed-core') {
+        version {
+            strictly "${springBootTomcatVersion}"
+        }
+    }
+    implementation('org.apache.tomcat.embed:tomcat-embed-el') {
+        version {
+            strictly "${springBootTomcatVersion}"
+        }
+    }
+    implementation('org.apache.tomcat.embed:tomcat-embed-websocket') {
+        version {
+            strictly "${springBootTomcatVersion}"
+        }
+    }
+    implementation('org.apache.tomcat:tomcat-annotations-api') {
+        version {
+            strictly "${springBootTomcatVersion}"
+        }
+    }
+    implementation('org.apache.tomcat:tomcat-jsp-api') {
+        version {
+            strictly "${springBootTomcatVersion}"
+        }
+    }
+
     // This is a transitive dependency from spring-boot-starter that we're forcing to pick up CVE hotfixes. We're not
     // vulnerable since we're not accepting untrusted Spring Boot config files, but this cleans up the reporting.
     // At some point Spring Boot should update its preferred version and we can yank this

From 4bd353ae841188b0be9051d44070f7a0a9489775 Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Tue, 17 Oct 2023 14:12:58 -0700
Subject: [PATCH 4/4] bump json-java to 20231013 for CVE-2023-5072 (#594)

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 4917c122e0..ec5db00763 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -222,7 +222,7 @@ jodaTimeVersion=2.8.1
 # brought in transitively from guava and other google packages. Need to resolve consistently
 jsr305Version=3.0.2
 
-orgJsonVersion=20230618
+orgJsonVersion=20231013
 
 jsoupVersion=1.16.1