It sounds like a plan for Undertow in Pax Web and wrapping (or even no need to
use a SMX bundle, just private package for pax-web-undertow).
Regards
JB
> Le 29 janv. 2021 à 16:32, Grzegorz Grzybek a écrit :
>
> No worries about OSGi ;)
>
> Pax Web doesn't have plans to upgrade to Undertow
No worries about OSGi ;)
Pax Web doesn't have plans to upgrade to Undertow 2.1+ for now. And if it
does, It'll repackage and re-export it with version 2.2. So (Pax Web 9?)
it'll be the OSGi repackaging of Undertow (maybe in addition to SMX bundle).
regards
Grzegorz Grzybek
pt., 29 sty 2021 o
Hi Colm and Grzegorz,
Based on the facts
1. The CVE got fixed since Undertow 2.2.0(not in 2.1.5).
2. since Undertow 2.1.0, there is no OSGi support
3. CXF 3.4.x uses Undertow 2.1.x already
4. CXF OSGi features.xml cxf-http-undertow feature reuse pax-http-undertow,
so always reuse the undertow
Hi Grzegorz,
Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and the
CVE information was out of date :-)
Colm.
On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek
wrote:
> Hello
>
> Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that
> it's no longer an
Hello
Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that it's
no longer an OSGi bundle (see https://issues.redhat.com/browse/UNDERTOW-1684)
- if this matter at all for CXF :)
kind regards
Grzegorz Grzybek
pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh
napisał(a):
> Hey
Hey Freeman,
Can you check if the latest Undertow 2.1.x release (2.1.5) is still
vulnerable to this CVE?
https://nvd.nist.gov/vuln/detail/CVE-2020-10687
If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see Camel
has already updated.
Thanks,
Colm.
