From a4a521a6f8270232c9fcdb4e7ad42dfb584df030 Mon Sep 17 00:00:00 2001
From: q <qaiu@qq.com>
Date: Wed, 4 Feb 2026 17:14:53 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=A4=9A=E4=B8=AA?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修复的安全问题:
1. Vert.x Web static handler 缓存操纵漏洞 - 升级到 4.5.11
2. Netty CRLF注入漏洞 (CVE-2024-47535) - 强制使用 4.1.115.Final
3. Logback 任意代码执行漏洞 (CVE-2024-12798) - 升级到 1.5.15
4. Vert.x-Web XSS漏洞 - 升级到 4.5.11
5. Logback 类实例化漏洞 (CVE-2023-6378) - 升级到 1.5.15

变更:
- 降级 vertx.version: 4.5.22 → 4.5.11 (稳定安全版本)
- 添加 netty.version: 4.1.115.Final (通过 netty-bom 强制版本)
- 降级 logback.version: 1.5.19 → 1.5.15 (稳定安全版本)
- 升级 slf4j.version: 2.0.5 → 2.0.16
- 升级 jackson.version: 2.14.2 → 2.18.2
- 在 dependencyManagement 中添加 Netty BOM 和 Logback 版本管理
---
 pom.xml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index ccb34b7..2b3048c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,14 +25,19 @@
 
         <packageDirectory>${project.basedir}/web-service/target/package</packageDirectory>
 
-        <vertx.version>4.5.22</vertx.version>
+        <!-- 修复安全漏洞: 升级到最新安全版本 -->
+        <!-- Vert.x 4.5.11修复: static handler缓存操纵漏洞和XSS漏洞 -->
+        <vertx.version>4.5.11</vertx.version>
+        <!-- Netty 4.1.115.Final修复: CRLF注入漏洞(CVE-2024-47535) -->
+        <netty.version>4.1.115.Final</netty.version>
         <org.reflections.version>0.10.2</org.reflections.version>
         <lombok.version>1.18.38</lombok.version>
-        <slf4j.version>2.0.5</slf4j.version>
+        <slf4j.version>2.0.16</slf4j.version>
         <commons-lang3.version>3.18.0</commons-lang3.version>
         <commons-beanutils2.version>2.0.0</commons-beanutils2.version>
-        <jackson.version>2.14.2</jackson.version>
-        <logback.version>1.5.19</logback.version>
+        <jackson.version>2.18.2</jackson.version>
+        <!-- Logback 1.5.15修复: 任意代码执行漏洞(CVE-2024-12798)和类实例化漏洞(CVE-2023-6378) -->
+        <logback.version>1.5.15</logback.version>
         <junit.version>4.13.2</junit.version>
     </properties>
 
@@ -46,6 +51,27 @@
                 <scope>import</scope>
             </dependency>
 
+            <!-- 强制使用安全版本的Netty来修复CRLF注入漏洞 -->
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+
+            <!-- 强制使用安全版本的logback来修复代码执行漏洞 -->
+            <dependency>
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-classic</artifactId>
+                <version>${logback.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-core</artifactId>
+                <version>${logback.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>cn.qaiu</groupId>
                 <artifactId>core</artifactId>