Jetty upgrade in karaf

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Jetty upgrade in karaf

dsjaxen

Hi!

It seems that there are security holes in the jetty implementations used by karaf versions up to 4.2.7. The link to the

Eclipse site that describes the defects is here:

https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html

It appears that 4.2.8 is coming out in late December which is a bit late for us to use it in the next version of our product that uses karaf.

So, I was wondering how dangerous it would be for me to edit the standard feature in karaf 4.2.6 and replace the jetty dependencies there with references to jetty 9.4.21.<x>?  I see no version of 9.4.21 is available on the mavenrepository.com yet.

 

Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it upgraded jetty to 9.4.20.x which unfortunately is not going to work for us.

Thanks,

Doug

 

Ps. I see it is possible to use tomcat rather than jetty – would that be a better route to go? That looks difficult for us because we have camel configuring jetty engines in spring beans xml. So, it would require reconfiguring cxf/camel to use tomcat. I guess if anyone has experience with how difficult that is I would appreciate hearing about it.

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Jetty upgrade in karaf

jbonofre
Hi Doug,

Jetty 9.4.21 has been released on September 27th.

I created the Jira both in Pax Web and Jetty
(https://issues.apache.org/jira/browse/KARAF-6446 |
https://ops4j1.jira.com/browse/PAXWEB-1237).

I can release Karaf 4.2.8 before December, not a problem, especially to
address a security issue.

Regarding your question, just upgrading Karaf standard features XML
won't be enough. You would need to update Pax Web as well.

Let me move forward fast on that.

Regards
JB

On 04/10/2019 00:33, Jackson, Douglas wrote:

> Hi!
>
> It seems that there are security holes in the jetty implementations used
> by karaf versions up to 4.2.7. The link to the
>
> Eclipse site that describes the defects is here:
>
> https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html
>
> It appears that 4.2.8 is coming out in late December which is a bit late
> for us to use it in the next version of our product that uses karaf.
>
> So, I was wondering how dangerous it would be for me to edit the
> standard feature in karaf 4.2.6 and replace the jetty dependencies there
> with references to jetty 9.4.21.<x>?  I see no version of 9.4.21 is
> available on the mavenrepository.com yet.
>
>  
>
> Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it
> upgraded jetty to 9.4.20.x which unfortunately is not going to work for us.
>
> Thanks,
>
> Doug
>
>  
>
> Ps. I see it is possible to use tomcat rather than jetty – would that be
> a better route to go? That looks difficult for us because we have camel
> configuring jetty engines in spring beans xml. So, it would require
> reconfiguring cxf/camel to use tomcat. I guess if anyone has experience
> with how difficult that is I would appreciate hearing about it.
>
>  
>
>  
>
>  
>

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: Jetty upgrade in karaf

dsjaxen
In reply to this post by dsjaxen

Hi!

Thanks Jean Baptiste!

We eagerly await that release and appreciate your efforts.

-Doug