Jetty upgrade in karaf

["Jackson, Douglas" <do...@siemens.com>]

Hi!
It seems that there are security holes in the jetty implementations used by karaf versions up to 4.2.7. The link to the
Eclipse site that describes the defects is here:
https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html
It appears that 4.2.8 is coming out in late December which is a bit late for us to use it in the next version of our product that uses karaf.
So, I was wondering how dangerous it would be for me to edit the standard feature in karaf 4.2.6 and replace the jetty dependencies there with references to jetty 9.4.21.<x>?  I see no version of 9.4.21 is available on the mavenrepository.com yet.

Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it upgraded jetty to 9.4.20.x which unfortunately is not going to work for us.
Thanks,
Doug

Ps. I see it is possible to use tomcat rather than jetty - would that be a better route to go? That looks difficult for us because we have camel configuring jetty engines in spring beans xml. So, it would require reconfiguring cxf/camel to use tomcat. I guess if anyone has experience with how difficult that is I would appreciate hearing about it.

RE: Jetty upgrade in karaf

["Jackson, Douglas" <do...@siemens.com>]

Hi!
Thanks Jean Baptiste!
We eagerly await that release and appreciate your efforts.
-Doug

Re: Jetty upgrade in karaf

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi Doug,

Jetty 9.4.21 has been released on September 27th.

I created the Jira both in Pax Web and Jetty
(https://issues.apache.org/jira/browse/KARAF-6446 |
https://ops4j1.jira.com/browse/PAXWEB-1237).

I can release Karaf 4.2.8 before December, not a problem, especially to
address a security issue.

Regarding your question, just upgrading Karaf standard features XML
won't be enough. You would need to update Pax Web as well.

Let me move forward fast on that.

Regards
JB

On 04/10/2019 00:33, Jackson, Douglas wrote:
> Hi!
> 
> It seems that there are security holes in the jetty implementations used
> by karaf versions up to 4.2.7. The link to the
> 
> Eclipse site that describes the defects is here:
> 
> https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html
> 
> It appears that 4.2.8 is coming out in late December which is a bit late
> for us to use it in the next version of our product that uses karaf.
> 
> So, I was wondering how dangerous it would be for me to edit the
> standard feature in karaf 4.2.6 and replace the jetty dependencies there
> with references to jetty 9.4.21.<x>?  I see no version of 9.4.21 is
> available on the mavenrepository.com yet.
> 
>  
> 
> Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it
> upgraded jetty to 9.4.20.x which unfortunately is not going to work for us.
> 
> Thanks,
> 
> Doug
> 
>  
> 
> Ps. I see it is possible to use tomcat rather than jetty – would that be
> a better route to go? That looks difficult for us because we have camel
> configuring jetty engines in spring beans xml. So, it would require
> reconfiguring cxf/camel to use tomcat. I guess if anyone has experience
> with how difficult that is I would appreciate hearing about it.
> 
>  
> 
>  
> 
>  
> 

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com