From bc7fdf8c6960016d4bc850d7ff068f6ddf9050e5 Mon Sep 17 00:00:00 2001
From: brais <26645694+BraisVQ@users.noreply.github.com>
Date: Tue, 10 Feb 2026 16:03:57 +0100
Subject: [PATCH 1/2] Fix CVE-2021-4104 and change base image to Eclipse
 Temurin 11 JRE (#761)

---
 CHANGELOG.md      | 2 ++
 build.gradle      | 9 +++++++--
 docker/Dockerfile | 4 +++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 25acd664..c1844c67 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+### Fixed
+- Fix CVE-2021-4104 and change java base image ([#761](https://github.com/opendevstack/ods-provisioning-app/pull/761))
 
 ## [4.3.0] - 2025-03-25
 
diff --git a/build.gradle b/build.gradle
index f984119f..eb7674e3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -130,15 +130,20 @@ dependencies {
             strictly '3.5.2'
         } // Cannot upgrade to '3.5.24'
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('com.atlassian.security:atlassian-security:3.2.14') {
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('com.atlassian.security:atlassian-cookie-tools:3.2.14') {
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('javax.validation:validation-api:2.0.1.Final')
-    implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3')
+    implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3') {
+        exclude group: 'log4j', module: 'log4j'
+    }
     implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
     implementation group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.1'
     implementation group: 'xerces', name: 'xercesImpl', version: '2.9.1'
@@ -228,4 +233,4 @@ configurations.all {
 
 // configurations.implementation {
 //    exclude group: 'com.google.code.findbugs', module: 'jsr305'
-// }
\ No newline at end of file
+// }
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 585d6743..e90bc96b 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,6 @@
-FROM adoptopenjdk/openjdk11:ubi-jre
+FROM docker.io/library/eclipse-temurin:11-jre-ubi9-minimal
+
+RUN microdnf update -y && microdnf clean all
  
 COPY files/entrypoint.sh /usr/local/bin/
 COPY app.jar app.jar

From 4150a29c1cee35a6362c30821466c6676988b381 Mon Sep 17 00:00:00 2001
From: brais <26645694+BraisVQ@users.noreply.github.com>
Date: Wed, 25 Feb 2026 13:35:09 +0100
Subject: [PATCH 2/2] Update CHANGELOG with unreleased section and 4.4.0

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c1844c67..af46883f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## Unreleased
 
+### Fixed
+
+## [4.4.0] - 2026-02-25
 ### Fixed
 - Fix CVE-2021-4104 and change java base image ([#761](https://github.com/opendevstack/ods-provisioning-app/pull/761))