Hi Trevor, you still could try out with the 4.3 line. It might already contain what you need. Regarding Jira and PR, yes, please a Jira with a PR that contains the jira number. This way we always can make sure which commit belongs to which version.
One thing though, as 6 is the actually last released version, what made it hard for you to upgrade? Cause even though it's a major version, we look carefully not to break to much stuff. regards, Achim 2017-09-16 2:16 GMT+02:00 Niclas Hedhman <nic...@hedhman.org>: > > I suggest that you submit the PR. That is the easy part. Question is if > there is someone willing to do the release. If you are, then great... if > not, you would need to convince (charm, beer, bribe, threat...) someone to > do it. > > Cheers > Niclas > > On Sat, Sep 16, 2017 at 5:04 AM, Trevor Brown < > tbr...@securityfirstcorp.com> wrote: > >> Hi all, >> >> My company is using Pax Web 4.2.7 right now. Unfortunately the version of >> Jetty in that release (and actually all Pax Web releases, it seems) is >> vulnerable to a timing channel attack (see https://github.com/eclips >> e/jetty.project/issues/1556 for details). >> >> I started looking at options, and right now it looks like the only >> upgrade path I have that won't require a lot of effort on my part (I >> experimented and failed using any of the 6.x releases) is to upgrade within >> the 4.x releases of Pax Web. I just rebuilt 4.4.1 locally with Jetty 9.2.22 >> and all the unit tests passed. >> >> So I'm wondering whether I should open a JIRA and submit a pull request >> for the upgrade in the 4.4.x stream, or whether I should just consider this >> a one-off fork for now and maybe work to pick up the Jetty 9.4.x work in >> the 6.0.x stream? >> >> Thanks in advance. >> >> -- >> -- >> ------------------ >> OPS4J - http://www.ops4j.org - ops4j@googlegroups.com >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ops4j+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Niclas Hedhman, Software Developer > http://polygene.apache.org - New Energy for Java > > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - ops4j@googlegroups.com > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ops4j+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Apache Member Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead blog <http://notizblog.nierbeck.de/> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> Software Architect / Project Manager / Scrum Master -- -- ------------------ OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.