ENT-15121: Merging forward updates from release/os/4.11 to release/os/4.12 - 2026-06-15#8199
Open
corda-jenkins-ci02[bot] wants to merge 6 commits into
Conversation
👮🏻👮🏻👮🏻 !!!! DESCRIBE YOUR CHANGES HERE !!!! DO NOT FORGET !!!! 👮🏻👮🏻👮🏻 This PR updates assertion in KotlinUtilsTest.kt to improve null-value handling. # PR Checklist: - [ ] Have you run the unit, integration and smoke tests as described [here](https://docs.r3.com/testing.html)? - [ ] If you added public APIs, did you write the JavaDocs/kdocs? - [ ] If the changes are of interest to application developers, have you added them to the changelog, and potentially the [release notes](https://docs.r3.com/release-notes.html) (`https://docs.r3.com/release-notes.html`)? - [ ] If you are contributing for the first time, please read the [contributor agreement](https://docs.r3.com/contributing.html) now and add a comment to this pull request stating that your PR is in accordance with the [Developer's Certificate of Origin](https://docs.r3.com/contributing.html). Thanks for your code, it's appreciated! :)
Dependency and waiver updates for security issues: **Jackson upgrade** CWE-770 Allocation of Resources Without Limits or Throttling Required some rework to _CordaModule_ to provide some type-specific deserializers, due to the newer version of Jackson being stricter about return types for serializers/deserializers. **Netty upgrade** CVE-2026-45416 Allocation of Resources Without Limits or Throttling CVE-2026-44249 Incorrect Comparison **Commons-dbcp2 forced-upgrade** CWE-200 Information exposure **Commons-beanutils in Serialization** Vulnerable version of commons-beanutils was being pulled in via Artemis, but only in the _serialization_ sub-module. Added a compile dependency for a non-vulnerable beanutils in _serialization_, rather than forcing it everywhere. CVE-2025-48734 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') **OkHttp3 waivers** CVE-2021-0341 Improper Certificate Validation CVE-2023-0833 Information Exposure CVE-2023-3635 Denial of Service (DoS) **Artemis waivers** CVE-2020-15250 Information Exposure CVE-2026-27446 Missing Authentication for Critical Function CVE-2025-27427 Incorrect Authorization CVE-2025-27391 Insertion of Sensitive Information into Log File CVE-2025-27391 Insertion of Sensitive Information into Log File CVE-2025-27391 Insertion of Sensitive Information into Log File **Log4j waivers** CVE-2025-68161 Improper Validation of Certificate with Host Mismatch CVE-2026-34477 Improper Validation of Certificate with Host Mismatch CVE-2026-34480 Improper Encoding or Escaping of Output CVE-2026-34479 Improper Encoding or Escaping of Output **Apache Shiro waivers** CVE-2026-23903 Authentication Bypass by Alternate Name CVE-2026-23901 Timing Attack CVE-2026-43827 Session Fixation CVE-2026-43828 Sensitive Cookie in HTTPS Session Without "Secure" Attribute **Jetty waivers** CVE-2025-11143 Interpretation Conflict CVE-2026-2332 HTTP Request Smuggling **Build-only waivers** CVE-2023-35947 Arbitrary File Write via Archive Extraction (Zip Slip) CVE-2020-29582 Information Exposure CVE-2022-24329 Improper Locking **SnakeYaml waivers** CVE-2022-1471 Arbitrary Code Execution
…_dependency_updates ENT-15121 - Security dependency updates 4.11
Contributor
Author
|
Please remember to 'Merge' all forward merges and do not 'Squash and Merge' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was created by the merge bot.
Includes: