From 1f85d03d725f79dd0ce36de7c5bb4edebd78e7b3 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 16 Mar 2026 15:53:09 -0700
Subject: [PATCH 1/2] Remove CSP versions from headers and URLs (#1307)

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index a464fa0bee..2dd374fc77 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -79,16 +79,17 @@ public static void main(String[] args)
                 script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ${SCRIPT.SOURCES} ;
                 base-uri 'self' ;
                 frame-src 'self' ${FRAME.SOURCES} ;
+                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api ;
             """;
         // Add upgrade_insecure_requests substitution, frame-ancestors, and enforce version
         String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=e14 ;
+                /* cspVersion=e15 */
             """;
         // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
         String reportCsp = baseCsp + """
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r14 ;
+                /* cspVersion=r15 */
             """;
 
         application.setDefaultProperties(new HashMap<>()

From ee0f491f071da3f241cd4199298388834e2677f9 Mon Sep 17 00:00:00 2001
From: Trey Chadick <tchad@labkey.com>
Date: Mon, 16 Mar 2026 16:17:22 -0700
Subject: [PATCH 2/2] Suppress PDFBox CVE (#1308)

https://nvd.nist.gov/vuln/detail/CVE-2026-23907
---
 dependencyCheckSuppression.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index b181166d9d..27621b7705 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -194,4 +194,37 @@
        <packageUrl regex="true">^pkg:maven/org\.mozilla/rhino@.*$</packageUrl>
        <vulnerabilityName>CVE-2025-66453</vulnerabilityName>
     </suppress>
+
+    <!--
+    Some PDFBox example code (ExtractEmbeddedFiles) contains a path traversal vulnerability. The example code isn't
+    packaged in any jars and we already have checks in place to prevent path traversal vulnerabilities.
+    -->
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-debugger-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-io-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-tools-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
 </suppressions>