You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by Paul Stanley <Pa...@saaconsultants.com> on 2021/03/01 10:38:50 UTC

Re: Jetty security defect

Hi JB.

PAX-WEB (and karaf ) will need to be updated to include Jetty 9.4.38 for 
the CVE-2020-27223 fix.

Cheers
Paul



From:   "Jean-Baptiste Onofre" <jb...@nanthrax.net>
To:     "user" <us...@karaf.apache.org>
Date:   26/02/2021 06:21
Subject:        Re: Jetty security defect



Hi Gerald,

Karaf 4.3.1 will still use Pax Web 7.3.12 (with jetty update).

Pax Web 8.x (with jetty, undertow updates and refactoring) is not yet 
fully ready.

Regards
JB

Le 26 févr. 2021 à 07:20, Gerald Kallas - mailbox.org <
catshout@mailbox.org> a écrit :

Hi all, which Karaf release does contain which Pax Web? When would Pax Web 
8.0 be released?

Tx in advance.

Sent by my mobile device
- Gerald Kallas

Am 26.02.2021 um 07:05 schrieb Jean-Baptiste Onofre <jb...@nanthrax.net>:

Hi,

Yes, Pax Web 7.2.22 includes update to Jetty 9.4.36.

Regards
JB

Le 25 févr. 2021 à 19:18, Jackson, Douglas <do...@siemens.com> 
a écrit :

 
Hi!
Is the new pax-web going into the karaf 4.2.11 release?
It appears that release might be available sooner than the 4.3.1 release 
and I need to apply the fix fairly soon.
Thanks,
Doug

Re: Jetty security defect

Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.

Yes, correct, both 4.2 and 4.3 will get the Jetty upgrade.

Regards
JB

> Le 1 mars 2021 à 14:55, Serge Huber <sh...@apache.org> a écrit :
> 
> Thanks for the work guys !
> 
> Am I understanding correctly that both Karaf 4.2 and 4.3 will get this Jetty upgrade? 
> 
> Regards,
>   Serge... 
> 
> On Mon, Mar 1, 2021 at 2:30 PM Jean-Baptiste Onofre <jb@nanthrax.net <ma...@nanthrax.net>> wrote:
> Hi Paul,
> 
> Thanks for the update. I’m cutting a new Pax Web release and update in Karaf now.
> 
> Thanks again !
> 
> Regards
> JB
> 
>> Le 1 mars 2021 à 11:38, Paul Stanley <Paul.Stanley@saaconsultants.com <ma...@saaconsultants.com>> a écrit :
>> 
>> Hi JB. 
>> 
>> PAX-WEB (and karaf ) will need to be updated to include Jetty 9.4.38 for the CVE-2020-27223 fix. 
>> 
>> Cheers 
>> Paul 
>> 
>> 
>> 
>> From:        "Jean-Baptiste Onofre" <jb@nanthrax.net <ma...@nanthrax.net>> 
>> To:        "user" <user@karaf.apache.org <ma...@karaf.apache.org>> 
>> Date:        26/02/2021 06:21 
>> Subject:        Re: Jetty security defect 
>> 
>> 
>> 
>> Hi Gerald, 
>> 
>> Karaf 4.3.1 will still use Pax Web 7.3.12 (with jetty update). 
>> 
>> Pax Web 8.x (with jetty, undertow updates and refactoring) is not yet fully ready. 
>> 
>> Regards 
>> JB 
>> 
>> Le 26 févr. 2021 à 07:20, Gerald Kallas - mailbox.org <http://mailbox.org/> <catshout@mailbox.org <ma...@mailbox.org>> a écrit : 
>> 
>> Hi all, which Karaf release does contain which Pax Web? When would Pax Web 8.0 be released? 
>> 
>> Tx in advance.
>> 
>> Sent by my mobile device 
>> - Gerald Kallas 
>> 
>> Am 26.02.2021 um 07:05 schrieb Jean-Baptiste Onofre <jb@nanthrax.net <ma...@nanthrax.net>>:
>> 
>> Hi, 
>> 
>> Yes, Pax Web 7.2.22 includes update to Jetty 9.4.36. 
>> 
>> Regards 
>> JB 
>> 
>> Le 25 févr. 2021 à 19:18, Jackson, Douglas <douglas.s.jackson@siemens.com <ma...@siemens.com>> a écrit : 
>>  
>> Hi!
>> Is the new pax-web going into the karaf 4.2.11 release?
>> It appears that release might be available sooner than the 4.3.1 release and I need to apply the fix fairly soon.
>> Thanks,
>> Doug
>> 
>> 
>> 
>> 
>

Re: Jetty security defect

Posted by Serge Huber <sh...@apache.org>.

Thanks for the work guys !

Am I understanding correctly that both Karaf 4.2 and 4.3 will get this
Jetty upgrade?

Regards,
  Serge...

On Mon, Mar 1, 2021 at 2:30 PM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:

> Hi Paul,
>
> Thanks for the update. I’m cutting a new Pax Web release and update in
> Karaf now.
>
> Thanks again !
>
> Regards
> JB
>
> Le 1 mars 2021 à 11:38, Paul Stanley <Pa...@saaconsultants.com> a
> écrit :
>
> Hi JB.
>
> PAX-WEB (and karaf ) will need to be updated to include Jetty 9.4.38 for
> the CVE-2020-27223 fix.
>
> Cheers
> Paul
>
>
>
> From:        "Jean-Baptiste Onofre" <jb...@nanthrax.net>
> To:        "user" <us...@karaf.apache.org>
> Date:        26/02/2021 06:21
> Subject:        Re: Jetty security defect
> ------------------------------
>
>
>
> Hi Gerald,
>
> Karaf 4.3.1 will still use Pax Web 7.3.12 (with jetty update).
>
> Pax Web 8.x (with jetty, undertow updates and refactoring) is not yet
> fully ready.
>
> Regards
> JB
>
> Le 26 févr. 2021 à 07:20, Gerald Kallas - *mailbox.org*
> <http://mailbox.org/> <*catshout@mailbox.org* <ca...@mailbox.org>> a
> écrit :
>
> Hi all, which Karaf release does contain which Pax Web? When would Pax Web
> 8.0 be released?
>
> Tx in advance.
>
> Sent by my mobile device
> - Gerald Kallas
>
> Am 26.02.2021 um 07:05 schrieb Jean-Baptiste Onofre <*jb@nanthrax.net*
> <jb...@nanthrax.net>>:
>
> Hi,
>
> Yes, Pax Web 7.2.22 includes update to Jetty 9.4.36.
>
> Regards
> JB
>
> Le 25 févr. 2021 à 19:18, Jackson, Douglas <
> *douglas.s.jackson@siemens.com* <do...@siemens.com>> a écrit :
>
>
> Hi!
> Is the new pax-web going into the karaf 4.2.11 release?
> It appears that release might be available sooner than the 4.3.1 release
> and I need to apply the fix fairly soon.
> Thanks,
> Doug
>
>
>
>
>
>

Re: Jetty security defect

Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.

Hi Paul,

Thanks for the update. I’m cutting a new Pax Web release and update in Karaf now.

Thanks again !

Regards
JB

> Le 1 mars 2021 à 11:38, Paul Stanley <Pa...@saaconsultants.com> a écrit :
> 
> Hi JB. 
> 
> PAX-WEB (and karaf ) will need to be updated to include Jetty 9.4.38 for the CVE-2020-27223 fix. 
> 
> Cheers 
> Paul 
> 
> 
> 
> From:        "Jean-Baptiste Onofre" <jb...@nanthrax.net> 
> To:        "user" <us...@karaf.apache.org> 
> Date:        26/02/2021 06:21 
> Subject:        Re: Jetty security defect 
> 
> 
> 
> Hi Gerald, 
> 
> Karaf 4.3.1 will still use Pax Web 7.3.12 (with jetty update). 
> 
> Pax Web 8.x (with jetty, undertow updates and refactoring) is not yet fully ready. 
> 
> Regards 
> JB 
> 
> Le 26 févr. 2021 à 07:20, Gerald Kallas - mailbox.org <http://mailbox.org/> <catshout@mailbox.org <ma...@mailbox.org>> a écrit : 
> 
> Hi all, which Karaf release does contain which Pax Web? When would Pax Web 8.0 be released? 
> 
> Tx in advance.
> 
> Sent by my mobile device 
> - Gerald Kallas 
> 
> Am 26.02.2021 um 07:05 schrieb Jean-Baptiste Onofre <jb@nanthrax.net <ma...@nanthrax.net>>:
> 
> Hi, 
> 
> Yes, Pax Web 7.2.22 includes update to Jetty 9.4.36. 
> 
> Regards 
> JB 
> 
> Le 25 févr. 2021 à 19:18, Jackson, Douglas <douglas.s.jackson@siemens.com <ma...@siemens.com>> a écrit : 
>  
> Hi!
> Is the new pax-web going into the karaf 4.2.11 release?
> It appears that release might be available sooner than the 4.3.1 release and I need to apply the fix fairly soon.
> Thanks,
> Doug
> 
> 
> 
>