From d24689a97bb93c8900aaa496b540f8053011199b Mon Sep 17 00:00:00 2001
From: thc202 <thc202@gmail.com>
Date: Tue, 23 Dec 2025 09:51:05 +0000
Subject: [PATCH 1/2] Update Log4j 2

Update to latest version to address CVE, even if it doesn't impact the
codebase.

Signed-off-by: thc202 <thc202@gmail.com>
---
 LEGALNOTICE.md     | 8 ++++----
 zap/zap.gradle.kts | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/LEGALNOTICE.md b/LEGALNOTICE.md
index 197609f0b20..ee05ff2a85c 100644
--- a/LEGALNOTICE.md
+++ b/LEGALNOTICE.md
@@ -54,10 +54,10 @@ and subject to their respective licenses.
 | jfreechart-1.5.6.jar                | LGPL                      |
 | jgrapht-core-0.9.2.jar              | LGPL 2.1                  |
 | json-lib-2.4-jdk15.jar              | MIT + "Good, Not Evil"    |
-| log4j-1.2-api-2.25.2.jar            | Apache 2.0                |
-| log4j-api-2.25.2.jar                | Apache 2.0                |
-| log4j-core-2.25.2.jar               | Apache 2.0                |
-| log4j-jul-2.25.2.jar                | Apache 2.0                |
+| log4j-1.2-api-2.25.3.jar            | Apache 2.0                |
+| log4j-api-2.25.3.jar                | Apache 2.0                |
+| log4j-core-2.25.3.jar               | Apache 2.0                |
+| log4j-jul-2.25.3.jar                | Apache 2.0                |
 | rsyntaxtextarea-3.6.0.jar           | BSD-3 clause              |
 | swingx-all-1.6.5-1.jar              | LGPL 2.1                  |
 | xom-1.3.9.jar                       | LGPL                      |
diff --git a/zap/zap.gradle.kts b/zap/zap.gradle.kts
index 2f9993b6548..284781f2961 100644
--- a/zap/zap.gradle.kts
+++ b/zap/zap.gradle.kts
@@ -100,7 +100,7 @@ dependencies {
     api("org.apache.commons:commons-text:1.14.0")
     implementation("edu.umass.cs.benchlab:harlib:1.1.3")
     api("javax.help:javahelp:2.0.05")
-    val log4jVersion = "2.25.2"
+    val log4jVersion = "2.25.3"
     api("org.apache.logging.log4j:log4j-api:$log4jVersion")
     api("org.apache.logging.log4j:log4j-1.2-api:$log4jVersion")
     implementation("org.apache.logging.log4j:log4j-core:$log4jVersion")

From b97007c40bab3afe2ad20b83bd9528f76ecfcf68 Mon Sep 17 00:00:00 2001
From: thc202 <thc202@gmail.com>
Date: Tue, 23 Dec 2025 09:54:54 +0000
Subject: [PATCH 2/2] Set the tag when updating the main release

Attempt to keep the tag when updating the main release with the macOS
binaries.

Signed-off-by: thc202 <thc202@gmail.com>
---
 .../java/org/zaproxy/zap/tasks/UploadAssetsGitHubRelease.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buildSrc/src/main/java/org/zaproxy/zap/tasks/UploadAssetsGitHubRelease.java b/buildSrc/src/main/java/org/zaproxy/zap/tasks/UploadAssetsGitHubRelease.java
index 03ce2ef45eb..6b2835d26db 100644
--- a/buildSrc/src/main/java/org/zaproxy/zap/tasks/UploadAssetsGitHubRelease.java
+++ b/buildSrc/src/main/java/org/zaproxy/zap/tasks/UploadAssetsGitHubRelease.java
@@ -130,7 +130,7 @@ public void createRelease() throws IOException {
         String releaseBody = release.getBody();
         if (addChecksums.get()) {
             releaseBody = updateChecksumsTable(releaseBody);
-            release.update().body(releaseBody).update();
+            release.update().body(releaseBody).tag(tagName).update();
         }
 
         for (Asset asset : assets) {