It sounds like a plan for Undertow in Pax Web and wrapping (or even no need to use a SMX bundle, just private package for pax-web-undertow).
Regards JB > Le 29 janv. 2021 à 16:32, Grzegorz Grzybek <gr.grzy...@gmail.com> a écrit : > > No worries about OSGi ;) > > Pax Web doesn't have plans to upgrade to Undertow 2.1+ for now. And if it > does, It'll repackage and re-export it with version 2.2. So (Pax Web 9?) > it'll be the OSGi repackaging of Undertow (maybe in addition to SMX bundle). > > regards > Grzegorz Grzybek > > pt., 29 sty 2021 o 16:29 Freeman Fang <freeman.f...@gmail.com> napisał(a): > >> Hi Colm and Grzegorz, >> >> Based on the facts >> 1. The CVE got fixed since Undertow 2.2.0(not in 2.1.5). >> 2. since Undertow 2.1.0, there is no OSGi support >> 3. CXF 3.4.x uses Undertow 2.1.x already >> 4. CXF OSGi features.xml cxf-http-undertow feature reuse >> pax-http-undertow, so always reuse the undertow version shipped with OPS4J >> PAX-WEB. >> <feature name="cxf-http-undertow" version="${project.version}"> >> <feature version="${project.version}">cxf-http</feature> >> <feature>pax-http-undertow</feature> >> <bundle >> start-level="40">mvn:org.apache.cxf/cxf-rt-transports-http-undertow/${project.version}</bundle> >> <capability> >> cxf.http.provider;name=undertow >> </capability> >> </feature> >> So any upgrade to undertow 2.2.x won't affect the CXF behavior in OSGi, >> though it's true that in OSGi very hard to pick up later undertow release. >> >> In summary, I will upgrade undertow version to 2.23, at least outside OSGi >> we can pick up this CVE fix. >> >> Cheers >> Freeman >> >> On Fri, Jan 29, 2021 at 5:55 AM Colm O hEigeartaigh <cohei...@apache.org> >> wrote: >> >>> Hi Grzegorz, >>> >>> Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and >>> the CVE information was out of date :-) >>> >>> Colm. >>> >>> On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek <gr.grzy...@gmail.com> >>> wrote: >>> >>>> Hello >>>> >>>> Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that >>>> it's no longer an OSGi bundle (see >>>> https://issues.redhat.com/browse/UNDERTOW-1684) - if this matter at all >>>> for CXF :) >>>> >>>> kind regards >>>> Grzegorz Grzybek >>>> >>>> pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh <cohei...@apache.org> >>>> napisał(a): >>>> >>>>> Hey Freeman, >>>>> >>>>> Can you check if the latest Undertow 2.1.x release (2.1.5) is still >>>>> vulnerable to this CVE? >>>>> >>>>> https://nvd.nist.gov/vuln/detail/CVE-2020-10687 >>>>> >>>>> If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see >>>>> Camel >>>>> has already updated. >>>>> >>>>> Thanks, >>>>> >>>>> Colm. >>>>> >>>>