Re: upgrade to Jetty 9.4.39.v20210325
Hi Grzegorz, Thank you a lot for taking the time to write these explanations, and sorry for not having paid enough attention to the announcement. It's all clarified now for me. Cheers, Fabien On Monday, 17 May 2021 at 11:49:04 UTC+2 gr.gr...@gmail.com wrote: > Hello Fabien > > As I've mentioned in the announcement email[1]: > > I'd like to announce that I've just released Pax Web 7.4.0 that should NOT >> be treated as direct replacement of existing 7.2.x and 7.3.x lines. >> >> The purpose of this release is to leverage >> https://issues.redhat.com/browse/UNDERTOW-1852 issue, which brought back >> OSGi support to Undertow. >> > > So Pax Web 7.4.x should be treated as tech preview version of Pax web > 7.3.x which was ALSO a tech preview (because of incomplete Servlet API 4 > implementation - only Undertow 2.0.x and Tomcat 9 are Servlet API 4 > compatible, Jetty 9.4 is still Servlet API 3.1). > > But I believe 7.3 is well established now, so there's really nothing > "better" in Pax Web 7.4 except more dependencies on Wildfly libraries > (because surprisingly, XNIO after 3.3.x requires more JBoss/Wildfly > libraries, some of which are not proper OSGi bundles). > > kind regards > Grzegorz Grzybek > > [1]: https://groups.google.com/g/ops4j-announcement/c/_mEbz_sAx40 > > pon., 17 maj 2021 o 11:13 'Fabien S' via OPS4J > napisał(a): > >> Hi all, >> Would you have any idea when a new version 7.4.2 of Pax Web would be >> available? In the projects of my company, we have to make the decision >> either to wait for it, or to release our software without upgrading Pax Web >> (and possibly applying some workarounds to prevent the Deny of service >> vulnerability). >> >> Cheers, >> Fabien >> >> On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote: >> >>> I’m doing on all branches. >>> >>> Regards >>> JB >>> >>> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek a écrit : >>> >>> Hello >>> >>> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in >>> `main` branch, because I've already updated it locally in very >>> not-ready-yet code. >>> >>> regards >>> Grzegorz >>> >>> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J >>> napisał(a): >>> >>>> Hi, thank you a lot for your help and explanations! >>>> Regarding the vulnerability, maybe it's possible to include in the code >>>> of the application this work-around: >>>> >>>> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w >>>> but I'm not sure it would handle all the cases, so relying on an >>>> official fix from Jetty would be safer. >>>> >>>> Cheers, >>>> Fabien >>>> >>>> On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote: >>>> >>>>> Hello >>>>> >>>>> Just an information about Pax Web and main branch. I've recently >>>>> renamed "master-improvements" branch to "main" - I had two goals with >>>>> this >>>>> action: >>>>> - show that my long-developed "master-improvements" branch, where >>>>> I've literally refactored big part of Pax Web (to adjust to new >>>>> Whiteboard >>>>> requirements) is ready to be worked on by others >>>>> - adjust to new standards, where "main" is the new "master" >>>>> >>>>> Unfortunately this new "main" branch is still far from being released >>>>> (I had few months break again and I have to "feel" it again) and usual >>>>> practice, where some change is always made in newest branch and then >>>>> backported to maintenance branches. "main" branch is MUCH different than >>>>> pax-web-7.2.x – pax-web-7.4.x branches. >>>>> >>>>> Also, remember that 3 active maintenance branches of Pax Web are: >>>>> - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, >>>>> Tomcat 8 and Undertow 1.x - the branch using Servlet API 3.1 >>>>> - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 >>>>> and Undertow 2.0.x - the branch using Servlet API 4 >>>>> - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 >>>>> and Undertow 2.2.x - th
Re: upgrade to Jetty 9.4.39.v20210325
Hi all, Would you have any idea when a new version 7.4.2 of Pax Web would be available? In the projects of my company, we have to make the decision either to wait for it, or to release our software without upgrading Pax Web (and possibly applying some workarounds to prevent the Deny of service vulnerability). Cheers, Fabien On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote: > I’m doing on all branches. > > Regards > JB > > Le 13 avr. 2021 à 08:30, Grzegorz Grzybek a écrit : > > Hello > > Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main` > branch, because I've already updated it locally in very not-ready-yet code. > > regards > Grzegorz > > wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J > napisał(a): > >> Hi, thank you a lot for your help and explanations! >> Regarding the vulnerability, maybe it's possible to include in the code >> of the application this work-around: >> >> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w >> but I'm not sure it would handle all the cases, so relying on an official >> fix from Jetty would be safer. >> >> Cheers, >> Fabien >> >> On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote: >> >>> Hello >>> >>> Just an information about Pax Web and main branch. I've recently renamed >>> "master-improvements" branch to "main" - I had two goals with this action: >>> - show that my long-developed "master-improvements" branch, where I've >>> literally refactored big part of Pax Web (to adjust to new Whiteboard >>> requirements) is ready to be worked on by others >>> - adjust to new standards, where "main" is the new "master" >>> >>> Unfortunately this new "main" branch is still far from being released (I >>> had few months break again and I have to "feel" it again) and usual >>> practice, where some change is always made in newest branch and then >>> backported to maintenance branches. "main" branch is MUCH different than >>> pax-web-7.2.x – pax-web-7.4.x branches. >>> >>> Also, remember that 3 active maintenance branches of Pax Web are: >>> - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat >>> 8 and Undertow 1.x - the branch using Servlet API 3.1 >>> - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 >>> and Undertow 2.0.x - the branch using Servlet API 4 >>> - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 >>> and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x >>> which "got back" OSGi metadata since 2.2.5.Final ( >>> https://issues.redhat.com/browse/UNDERTOW-1852) >>> >>> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN >>> 7 implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 >>> specification, but it reaally required lots of fundamental changes, >>> I was describing for at least a year). >>> >>> I hope this clarifies the state of Pax Web. >>> >>> kind regards >>> Grzegorz Grzybek >>> >>> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré >>> napisał(a): >>> >>>> Hi, >>>> >>>> It’s already plan and I have Pax Web releases on the way, including >>>> this and other fixes. >>>> >>>> So, don’t worry, we will have the Pax Web releases tomorrow. >>>> >>>> Regards >>>> JB >>>> >>>> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J >>>> a écrit : >>>> >>>> I created this issue about the upgrade to Jetty 9.4.39.v20210325 >>>> because some lower version are impacted by CVE-2021-28165. >>>> >>>> https://github.com/ops4j/org.ops4j.pax.web/issues/1594 >>>> >>>> I wanted to try to do the change by myself, and I hoped that creating a >>>> pull request would allow me to run the regression tests but in fact I >>>> don't >>>> know how to trigger these tests. I'm not even sure that I created a commit >>>> for the right target branch. Could anybody assist me please? >>>> >>>> Cheers, >>>> Fabien >>>> >>>> -- >>>> -- >>>> -- >>>> OPS4J - http://www.ops4j.org - op...@googlegroups.c
Re: upgrade to Jetty 9.4.39.v20210325
Hi, thank you a lot for your help and explanations! Regarding the vulnerability, maybe it's possible to include in the code of the application this work-around: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w but I'm not sure it would handle all the cases, so relying on an official fix from Jetty would be safer. Cheers, Fabien On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote: > Hello > > Just an information about Pax Web and main branch. I've recently renamed > "master-improvements" branch to "main" - I had two goals with this action: > - show that my long-developed "master-improvements" branch, where I've > literally refactored big part of Pax Web (to adjust to new Whiteboard > requirements) is ready to be worked on by others > - adjust to new standards, where "main" is the new "master" > > Unfortunately this new "main" branch is still far from being released (I > had few months break again and I have to "feel" it again) and usual > practice, where some change is always made in newest branch and then > backported to maintenance branches. "main" branch is MUCH different than > pax-web-7.2.x – pax-web-7.4.x branches. > > Also, remember that 3 active maintenance branches of Pax Web are: > - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat 8 > and Undertow 1.x - the branch using Servlet API 3.1 > - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 and > Undertow 2.0.x - the branch using Servlet API 4 > - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 and > Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x which > "got back" OSGi metadata since 2.2.5.Final ( > https://issues.redhat.com/browse/UNDERTOW-1852) > > Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN 7 > implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 > specification, but it reaally required lots of fundamental changes, > I was describing for at least a year). > > I hope this clarifies the state of Pax Web. > > kind regards > Grzegorz Grzybek > > pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré > napisał(a): > >> Hi, >> >> It’s already plan and I have Pax Web releases on the way, including this >> and other fixes. >> >> So, don’t worry, we will have the Pax Web releases tomorrow. >> >> Regards >> JB >> >> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J a >> écrit : >> >> I created this issue about the upgrade to Jetty 9.4.39.v20210325 because >> some lower version are impacted by CVE-2021-28165. >> >> https://github.com/ops4j/org.ops4j.pax.web/issues/1594 >> >> I wanted to try to do the change by myself, and I hoped that creating a >> pull request would allow me to run the regression tests but in fact I don't >> know how to trigger these tests. I'm not even sure that I created a commit >> for the right target branch. Could anybody assist me please? >> >> Cheers, >> Fabien >> >> -- >> -- >> -- >> OPS4J - http://www.ops4j.org - op...@googlegroups.com >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ops4j+un...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com?utm_medium=email_source=footer> >> . >> >> >> -- >> -- >> -- >> OPS4J - http://www.ops4j.org - op...@googlegroups.com >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ops4j+un...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com >> >> <https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com?utm_medium=email_source=footer> >> . >> > -- -- -- OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/744966d3-b9a5-42b6-adf1-4aeb394b8ec4n%40googlegroups.com.
upgrade to Jetty 9.4.39.v20210325
I created this issue about the upgrade to Jetty 9.4.39.v20210325 because some lower version are impacted by CVE-2021-28165. https://github.com/ops4j/org.ops4j.pax.web/issues/1594 I wanted to try to do the change by myself, and I hoped that creating a pull request would allow me to run the regression tests but in fact I don't know how to trigger these tests. I'm not even sure that I created a commit for the right target branch. Could anybody assist me please? Cheers, Fabien -- -- -- OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com.
