From bc28f239a62479c2610dfc8ef67a51ad45fd6e66 Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Thu, 18 Sep 2025 09:58:35 -0700
Subject: [PATCH 1/2]  bump spring etc for CVE-2025-41249 (#1184)

---
 gradle.properties | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index dc87d30952..65af6ccaf5 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.44
+apacheTomcatVersion=10.1.46
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -287,9 +287,9 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.7
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=3.5.3
+springBootVersion=3.5.6
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=6.2.10
+springVersion=6.2.11
 
 sqliteJdbcVersion=3.50.3.0
 

From f3d9b9520dd2d13b509600d3cba35972ae03b597 Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Sun, 21 Sep 2025 08:15:17 -0700
Subject: [PATCH 2/2] Add Directive.Script in
 ContentSecurityPolicyFilter.registerAllowedSources (#1180)

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index e716072caf..b6e9b38acf 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -75,7 +75,7 @@ public static void main(String[] args)
                 style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
                 img-src 'self' data: ${IMAGE.SOURCES} ;
                 font-src 'self' data: ${FONT.SOURCES} ;
-                script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
+                script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ${SCRIPT.SOURCES} ;
                 base-uri 'self' ;
                 frame-src 'self' ${FRAME.SOURCES} ;
             """;