From c2239a7bf946510e10b6447efdb4c8c9c88f442c Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Thu, 12 Jun 2025 17:21:51 -0700
Subject: [PATCH 1/3] Update to Postgres driver version 42.7.7 (#1092)

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 031eeeafe3..e2e0549417 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -266,7 +266,7 @@ poiVersion=5.4.0
 
 pollingWatchVersion=0.2.0
 
-postgresqlDriverVersion=42.7.4
+postgresqlDriverVersion=42.7.7
 
 quartzVersion=2.5.0
 

From 53cb77fa17943e805ef5bf95717e387cb76694ff Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Fri, 13 Jun 2025 15:56:16 -0700
Subject: [PATCH 2/3] Suppress CVE-2025-49146 (#1093)

---
 dependencyCheckSuppression.xml | 9 +++++++++
 gradle.properties              | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index e05aa61253..0ec7e51890 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -217,4 +217,13 @@
        <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
        <cve>CVE-2005-1260</cve>
     </suppress>
+
+    <!-- Related to the setting of channel binding as required, which is not relevant to us. -->
+    <suppress>
+        <notes><![CDATA[
+       file name: postgresql-42.7.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
+        <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index e2e0549417..3b79b8ac3e 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -266,7 +266,8 @@ poiVersion=5.4.0
 
 pollingWatchVersion=0.2.0
 
-postgresqlDriverVersion=42.7.7
+# Newer versions of the driver have a perf degradation that's important for us. https://github.com/pgjdbc/pgjdbc/issues/3505
+postgresqlDriverVersion=42.7.4
 
 quartzVersion=2.5.0
 

From d89754d295efb59721bc4023ede48919ad6eece5 Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Mon, 16 Jun 2025 09:17:37 -0700
Subject: [PATCH 3/3] Update spring to 6.2.8 for CVE-2025-41234 (#1094)

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 3b79b8ac3e..e7e45fe173 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -292,7 +292,7 @@ snappyJavaVersion=1.1.10.7
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
 springBootVersion=3.4.5
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=6.2.7
+springVersion=6.2.8
 
 sqliteJdbcVersion=3.49.1.0