This is an automated email from the ASF dual-hosted git repository.

chenzhida pushed a commit to branch 2.8.x
in repository https://gitbox.apache.org/repos/asf/servicecomb-java-chassis.git


The following commit(s) were added to refs/heads/2.8.x by this push:
     new 88774b8ee upgrade org.apache.tomcat.embed:tomcat-embed-core to 9.0.108 
(#4986)
88774b8ee is described below

commit 88774b8ee65166e18b596f3adc94674c664db62d
Author: qlonglong <[email protected]>
AuthorDate: Wed Oct 22 17:40:04 2025 +0800

    upgrade org.apache.tomcat.embed:tomcat-embed-core to 9.0.108 (#4986)
    
    Due to JDK version constraints, Spring Boot cannot be upgraded further. 
Therefore, tomcat-embed-core can only be upgraded to 9.0.108 to address the 
CVE-2025-48989 vulnerability.
---
 dependencies/default/pom.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/dependencies/default/pom.xml b/dependencies/default/pom.xml
index c9132cc26..46bb11157 100644
--- a/dependencies/default/pom.xml
+++ b/dependencies/default/pom.xml
@@ -101,6 +101,7 @@
     <vertx.version>4.5.21</vertx.version>
     <zipkin.version>2.24.0</zipkin.version>
     <zipkin-reporter.version>2.16.3</zipkin-reporter.version>
+    <tomcat.version>9.0.108</tomcat.version>
     <!-- Base dir of main -->
     <main.basedir>${basedir}/../..</main.basedir>
   </properties>
@@ -774,6 +775,22 @@
         <version>${java-websocket.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-core</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-el</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-websocket</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.apache.servicecomb</groupId>
         <artifactId>java-chassis-bom</artifactId>

Reply via email to