Fix multiple CVEs in Java dependencies

[Digvijay-x1]

What does this PR change?

Several Critical, High, and Moderate severity CVEs have been identified that could enable users to perform actions affecting other users.

This PR updates the relevant Java dependencies to mitigate these security risks.

• Upgrade org.postgresql:postgresql to 42.2.28 (Fixes CVE-2024-1597)
• Upgrade org.apache.tomcat to 9.0.99 (Fixes CVE-2024-56337)
• Upgrade org.quartz-scheduler:quartz to 2.3.2 (Fixes CVE-2019-13990)
• Upgrade org.apache.santuario:xmlsec to 2.2.6 (Fixes CVE-2023-44483)
• Upgrade org.apache.logging.log4j to 2.25.3 (Fixes CVE-2025-68161)

Codespace

Check if you already have a running container clicking on

GUI diff

No difference.

• DONE

Documentation

• No documentation needed: dependencies update

• DONE

Test coverage

ℹ️ If a major new functionality is added, it is strongly recommended that tests for the new functionality are added to the Cucumber test suite

• No tests: already covered

• DONE

Links

Issue(s): #
Port(s): # add downstream PR(s), if any

• DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

• No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql"
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "frontend_checks"
• Re-run test "spacecmd_unittests"

Before you merge

Check How to branch and merge properly!

[github-actions]

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕

You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/11441/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/11441/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary_parallel.yml?query=event%3Aschedule

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary.yml?query=event%3Aschedule

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

[mcalmer]

We require to have the java dependencies as RPM packages.
Just changing the ivy config is not sufficient.
The tests are failing due to this.