[
https://issues.apache.org/jira/browse/KARAF-8004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021164#comment-18021164
]
Jean-Baptiste Onofré commented on KARAF-8004:
---------------------------------------------
[~karthickm512] nb: please open the issue on GH now, Jira will be read-only
soon.
> Upgrade to Jetty 9.4.58 to mitigate CVE-2025-5115
> -------------------------------------------------
>
> Key: KARAF-8004
> URL: https://issues.apache.org/jira/browse/KARAF-8004
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.8
> Reporter: Karthick
> Priority: Major
>
> There is a High severity vulnerability CVE-2025-5115 that affects Http2
> (MadeYouReset) and there has been a fix released in 9.4.58 (Refer [Eclipse
> Jetty affected by MadeYouReset HTTP/2 vulnerability | GitLab Advisory
> Database|https://advisories.gitlab.com/pkg/maven/org.eclipse.jetty.http2/jetty-http2-common/CVE-2025-5115/])
>
> As we get org.eclipse.jetty.http2/http2-common from pax-web-http , [included
> in Karaf] please check and update to the latest released version (if
> available) so that we are protected in upcoming Karaf release 4.4.9
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
