Hi all, My company is using Pax Web 4.2.7 right now. Unfortunately the version of Jetty in that release (and actually all Pax Web releases, it seems) is vulnerable to a timing channel attack (see https://github.com/eclipse/jetty.project/issues/1556 for details).
I started looking at options, and right now it looks like the only upgrade path I have that won't require a lot of effort on my part (I experimented and failed using any of the 6.x releases) is to upgrade within the 4.x releases of Pax Web. I just rebuilt 4.4.1 locally with Jetty 9.2.22 and all the unit tests passed. So I'm wondering whether I should open a JIRA and submit a pull request for the upgrade in the 4.4.x stream, or whether I should just consider this a one-off fork for now and maybe work to pick up the Jetty 9.4.x work in the 6.0.x stream? Thanks in advance. -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
