I suggest that you submit the PR. That is the easy part. Question is if there is someone willing to do the release. If you are, then great... if not, you would need to convince (charm, beer, bribe, threat...) someone to do it.
Cheers Niclas On Sat, Sep 16, 2017 at 5:04 AM, Trevor Brown <tbr...@securityfirstcorp.com> wrote: > Hi all, > > My company is using Pax Web 4.2.7 right now. Unfortunately the version of > Jetty in that release (and actually all Pax Web releases, it seems) is > vulnerable to a timing channel attack (see https://github.com/ > eclipse/jetty.project/issues/1556 for details). > > I started looking at options, and right now it looks like the only upgrade > path I have that won't require a lot of effort on my part (I experimented > and failed using any of the 6.x releases) is to upgrade within the 4.x > releases of Pax Web. I just rebuilt 4.4.1 locally with Jetty 9.2.22 and all > the unit tests passed. > > So I'm wondering whether I should open a JIRA and submit a pull request > for the upgrade in the 4.4.x stream, or whether I should just consider this > a one-off fork for now and maybe work to pick up the Jetty 9.4.x work in > the 6.0.x stream? > > Thanks in advance. > > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - ops4j@googlegroups.com > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ops4j+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Niclas Hedhman, Software Developer http://polygene.apache.org - New Energy for Java -- -- ------------------ OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
