Suppress CVE-2025-49146 (#1093)

labkey-susanh · web-flow · commit 53cb77fa1794 · 2025-06-13T15:56:16.000-07:00
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -217,4 +217,13 @@
        <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
        <cve>CVE-2005-1260</cve>
     </suppress>
+
+    <!-- Related to the setting of channel binding as required, which is not relevant to us. -->
+    <suppress>
+        <notes><![CDATA[
+       file name: postgresql-42.7.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
+        <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
@@ -266,7 +266,8 @@ poiVersion=5.4.0
 
 pollingWatchVersion=0.2.0
 
-postgresqlDriverVersion=42.7.7
+# Newer versions of the driver have a perf degradation that's important for us. https://github.com/pgjdbc/pgjdbc/issues/3505
+postgresqlDriverVersion=42.7.4
 
 quartzVersion=2.5.0
 
