It sounds like a plan for Undertow in Pax Web and wrapping (or even no need to
use a SMX bundle, just private package for pax-web-undertow).
Regards
JB
> Le 29 janv. 2021 à 16:32, Grzegorz Grzybek <gr.grzy...@gmail.com> a écrit :
>
> No worries about OSGi ;)
>
> Pax Web doesn't have plans to upgrade to Undertow 2.1+ for now. And if it
> does, It'll repackage and re-export it with version 2.2. So (Pax Web 9?)
> it'll be the OSGi repackaging of Undertow (maybe in addition to SMX bundle).
>
> regards
> Grzegorz Grzybek
>
> pt., 29 sty 2021 o 16:29 Freeman Fang <freeman.f...@gmail.com> napisał(a):
>
>> Hi Colm and Grzegorz,
>>
>> Based on the facts
>> 1. The CVE got fixed since Undertow 2.2.0(not in 2.1.5).
>> 2. since Undertow 2.1.0, there is no OSGi support
>> 3. CXF 3.4.x uses Undertow 2.1.x already
>> 4. CXF OSGi features.xml cxf-http-undertow feature reuse
>> pax-http-undertow, so always reuse the undertow version shipped with OPS4J
>> PAX-WEB.
>> <feature name="cxf-http-undertow" version="${project.version}">
>> <feature version="${project.version}">cxf-http</feature>
>> <feature>pax-http-undertow</feature>
>> <bundle
>> start-level="40">mvn:org.apache.cxf/cxf-rt-transports-http-undertow/${project.version}</bundle>
>> <capability>
>> cxf.http.provider;name=undertow
>> </capability>
>> </feature>
>> So any upgrade to undertow 2.2.x won't affect the CXF behavior in OSGi,
>> though it's true that in OSGi very hard to pick up later undertow release.
>>
>> In summary, I will upgrade undertow version to 2.23, at least outside OSGi
>> we can pick up this CVE fix.
>>
>> Cheers
>> Freeman
>>
>> On Fri, Jan 29, 2021 at 5:55 AM Colm O hEigeartaigh <cohei...@apache.org>
>> wrote:
>>
>>> Hi Grzegorz,
>>>
>>> Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and
>>> the CVE information was out of date :-)
>>>
>>> Colm.
>>>
>>> On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek <gr.grzy...@gmail.com>
>>> wrote:
>>>
>>>> Hello
>>>>
>>>> Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that
>>>> it's no longer an OSGi bundle (see
>>>> https://issues.redhat.com/browse/UNDERTOW-1684) - if this matter at all
>>>> for CXF :)
>>>>
>>>> kind regards
>>>> Grzegorz Grzybek
>>>>
>>>> pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh <cohei...@apache.org>
>>>> napisał(a):
>>>>
>>>>> Hey Freeman,
>>>>>
>>>>> Can you check if the latest Undertow 2.1.x release (2.1.5) is still
>>>>> vulnerable to this CVE?
>>>>>
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2020-10687
>>>>>
>>>>> If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see
>>>>> Camel
>>>>> has already updated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Colm.
>>>>>
>>>>
