Re: upgrade to Jetty 9.4.39.v20210325

['Fabien S' via OPS4J]

Hi Grzegorz,

Thank you a lot for taking the time to write these explanations, and sorry 
for not having paid enough attention to the announcement. It's all 
clarified now for me.

Cheers,
Fabien

On Monday, 17 May 2021 at 11:49:04 UTC+2 gr.gr...@gmail.com wrote:

> Hello Fabien
>
> As I've mentioned in the announcement email[1]:
>
> I'd like to announce that I've just released Pax Web 7.4.0 that should NOT 
>> be treated as direct replacement of existing 7.2.x and 7.3.x lines.
>>
>> The purpose of this release is to leverage 
>> https://issues.redhat.com/browse/UNDERTOW-1852 issue, which brought back 
>> OSGi support to Undertow.
>>
>
> So Pax Web 7.4.x should be treated as tech preview version of Pax web 
> 7.3.x which was ALSO a tech preview (because of incomplete Servlet API 4 
> implementation - only Undertow 2.0.x and Tomcat 9 are Servlet API 4 
> compatible, Jetty 9.4 is still Servlet API 3.1).
>
> But I believe 7.3 is well established now, so there's really nothing 
> "better" in Pax Web 7.4 except more dependencies on Wildfly libraries 
> (because surprisingly, XNIO after 3.3.x requires more JBoss/Wildfly 
> libraries, some of which are not proper OSGi bundles).
>
> kind regards
> Grzegorz Grzybek
>
> [1]: https://groups.google.com/g/ops4j-announcement/c/_mEbz_sAx40
>
> pon., 17 maj 2021 o 11:13 'Fabien S' via OPS4J  
> napisał(a):
>
>> Hi all,
>> Would you have any idea when a new version 7.4.2 of Pax Web would be 
>> available? In the projects of my company, we have to make the decision 
>> either to wait for it, or to release our software without upgrading Pax Web 
>> (and possibly applying some workarounds to prevent the Deny of service 
>> vulnerability).
>>
>> Cheers,
>> Fabien
>>
>> On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote:
>>
>>> I’m doing on all branches.
>>>
>>> Regards
>>> JB
>>>
>>> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek  a écrit :
>>>
>>> Hello
>>>
>>> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in 
>>> `main` branch, because I've already updated it locally in very 
>>> not-ready-yet code.
>>>
>>> regards
>>> Grzegorz
>>>
>>> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J  
>>> napisał(a):
>>>
 Hi, thank you a lot for your help and explanations!
 Regarding the vulnerability, maybe it's possible to include in the code 
 of the application this work-around:

 https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
 but I'm not sure it would handle all the cases, so relying on an 
 official fix from Jetty would be safer.

 Cheers,
 Fabien

 On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote:

> Hello
>
> Just an information about Pax Web and main branch. I've recently 
> renamed "master-improvements" branch to "main" - I had two goals with 
> this 
> action:
>  - show that my long-developed "master-improvements" branch, where 
> I've literally refactored big part of Pax Web (to adjust to new 
> Whiteboard 
> requirements) is ready to be worked on by others
>  - adjust to new standards, where "main" is the new "master"
>
> Unfortunately this new "main" branch is still far from being released 
> (I had few months break again and I have to "feel" it again) and usual 
> practice, where some change is always made in newest branch and then 
> backported to maintenance branches. "main" branch is MUCH different than 
> pax-web-7.2.x – pax-web-7.4.x branches.
>
> Also, remember that 3 active maintenance branches of Pax Web are:
>  - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, 
> Tomcat 8 and Undertow 1.x - the branch using Servlet API 3.1
>  - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 
> and Undertow 2.0.x - the branch using Servlet API 4
>  - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 
> and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x 
> which "got back" OSGi metadata since 2.2.5.Final (
> https://issues.redhat.com/browse/UNDERTOW-1852)
>
> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi 
> CMPN 7 implementation (the goal is to have Pax Web 8 compliant to OSGi 
> CMPN 
> 7 specification, but it reaally required lots of fundamental 
> changes, I was describing for at least a year).
>
> I hope this clarifies the state of Pax Web.
>
> kind regards
> Grzegorz Grzybek
>
> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré  
> napisał(a):
>
>> Hi,
>>
>> It’s already plan and I have Pax Web releases on the way, including 
>> this and other fixes.
>>
>> So, don’t worry, we will have the Pax Web releases tomorrow.
>>
>> Regards
>> JB
>>
>> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J  
>> a écrit :
>>
>> I created this issue 

Re: upgrade to Jetty 9.4.39.v20210325

[Grzegorz Grzybek]

Hello Fabien

As I've mentioned in the announcement email[1]:

I'd like to announce that I've just released Pax Web 7.4.0 that should NOT
> be treated as direct replacement of existing 7.2.x and 7.3.x lines.
>
> The purpose of this release is to leverage
> https://issues.redhat.com/browse/UNDERTOW-1852 issue, which brought back
> OSGi support to Undertow.
>

So Pax Web 7.4.x should be treated as tech preview version of Pax web 7.3.x
which was ALSO a tech preview (because of incomplete Servlet API 4
implementation - only Undertow 2.0.x and Tomcat 9 are Servlet API 4
compatible, Jetty 9.4 is still Servlet API 3.1).

But I believe 7.3 is well established now, so there's really nothing
"better" in Pax Web 7.4 except more dependencies on Wildfly libraries
(because surprisingly, XNIO after 3.3.x requires more JBoss/Wildfly
libraries, some of which are not proper OSGi bundles).

kind regards
Grzegorz Grzybek

[1]: https://groups.google.com/g/ops4j-announcement/c/_mEbz_sAx40

pon., 17 maj 2021 o 11:13 'Fabien S' via OPS4J 
napisał(a):

> Hi all,
> Would you have any idea when a new version 7.4.2 of Pax Web would be
> available? In the projects of my company, we have to make the decision
> either to wait for it, or to release our software without upgrading Pax Web
> (and possibly applying some workarounds to prevent the Deny of service
> vulnerability).
>
> Cheers,
> Fabien
>
> On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote:
>
>> I’m doing on all branches.
>>
>> Regards
>> JB
>>
>> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek  a écrit :
>>
>> Hello
>>
>> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main`
>> branch, because I've already updated it locally in very not-ready-yet code.
>>
>> regards
>> Grzegorz
>>
>> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J 
>> napisał(a):
>>
>>> Hi, thank you a lot for your help and explanations!
>>> Regarding the vulnerability, maybe it's possible to include in the code
>>> of the application this work-around:
>>>
>>> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
>>> but I'm not sure it would handle all the cases, so relying on an
>>> official fix from Jetty would be safer.
>>>
>>> Cheers,
>>> Fabien
>>>
>>> On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote:
>>>
 Hello

 Just an information about Pax Web and main branch. I've recently
 renamed "master-improvements" branch to "main" - I had two goals with this
 action:
  - show that my long-developed "master-improvements" branch, where I've
 literally refactored big part of Pax Web (to adjust to new Whiteboard
 requirements) is ready to be worked on by others
  - adjust to new standards, where "main" is the new "master"

 Unfortunately this new "main" branch is still far from being released
 (I had few months break again and I have to "feel" it again) and usual
 practice, where some change is always made in newest branch and then
 backported to maintenance branches. "main" branch is MUCH different than
 pax-web-7.2.x – pax-web-7.4.x branches.

 Also, remember that 3 active maintenance branches of Pax Web are:
  - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat
 8 and Undertow 1.x - the branch using Servlet API 3.1
  - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9
 and Undertow 2.0.x - the branch using Servlet API 4
  - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9
 and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x
 which "got back" OSGi metadata since 2.2.5.Final (
 https://issues.redhat.com/browse/UNDERTOW-1852)

 Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN
 7 implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7
 specification, but it reaally required lots of fundamental changes,
 I was describing for at least a year).

 I hope this clarifies the state of Pax Web.

 kind regards
 Grzegorz Grzybek

 pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré 
 napisał(a):

> Hi,
>
> It’s already plan and I have Pax Web releases on the way, including
> this and other fixes.
>
> So, don’t worry, we will have the Pax Web releases tomorrow.
>
> Regards
> JB
>
> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J 
> a écrit :
>
> I created this issue about the upgrade to Jetty 9.4.39.v20210325
> because some lower version are impacted by CVE-2021-28165.
>
> https://github.com/ops4j/org.ops4j.pax.web/issues/1594
>
> I wanted to try to do the change by myself, and I hoped that creating
> a pull request would allow me to run the regression tests but in fact I
> don't know how to trigger these tests. I'm not even sure that I created a
> commit for the right target branch. Could 

Re: upgrade to Jetty 9.4.39.v20210325

[Jean-Baptiste Onofré]

Hi,

I already released 7.2.x and 7.3.x with Jetty 9.4.40 update. I will tackle 
7.4.x.

Regards
JB

> Le 17 mai 2021 à 11:13, 'Fabien S' via OPS4J  a écrit 
> :
> 
> Hi all,
> Would you have any idea when a new version 7.4.2 of Pax Web would be 
> available? In the projects of my company, we have to make the decision either 
> to wait for it, or to release our software without upgrading Pax Web (and 
> possibly applying some workarounds to prevent the Deny of service 
> vulnerability).
> 
> Cheers,
> Fabien
> 
> On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote:
> I’m doing on all branches.
> 
> Regards
> JB
> 
> 
>> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek > > a écrit :
>> 
> 
>> Hello
>> 
>> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main` 
>> branch, because I've already updated it locally in very not-ready-yet code.
>> 
>> regards
>> Grzegorz
>> 
>> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J > > napisał(a):
>> Hi, thank you a lot for your help and explanations!
>> Regarding the vulnerability, maybe it's possible to include in the code of 
>> the application this work-around:
>> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
>>  
>> 
>> but I'm not sure it would handle all the cases, so relying on an official 
>> fix from Jetty would be safer.
>> 
>> Cheers,
>> Fabien
>> 
>> On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com 
>>  wrote:
>> Hello
>> 
>> Just an information about Pax Web and main branch. I've recently renamed 
>> "master-improvements" branch to "main" - I had two goals with this action:
>>  - show that my long-developed "master-improvements" branch, where I've 
>> literally refactored big part of Pax Web (to adjust to new Whiteboard 
>> requirements) is ready to be worked on by others
>>  - adjust to new standards, where "main" is the new "master"
>> 
>> Unfortunately this new "main" branch is still far from being released (I had 
>> few months break again and I have to "feel" it again) and usual practice, 
>> where some change is always made in newest branch and then backported to 
>> maintenance branches. "main" branch is MUCH different than pax-web-7.2.x – 
>> pax-web-7.4.x branches.
>> 
>> Also, remember that 3 active maintenance branches of Pax Web are:
>>  - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat 8 
>> and Undertow 1.x - the branch using Servlet API 3.1
>>  - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 and 
>> Undertow 2.0.x - the branch using Servlet API 4
>>  - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 and 
>> Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x which 
>> "got back" OSGi metadata since 2.2.5.Final 
>> (https://issues.redhat.com/browse/UNDERTOW-1852 
>> )
>> 
>> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN 7 
>> implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 
>> specification, but it reaally required lots of fundamental changes, 
>> I was describing for at least a year).
>> 
>> I hope this clarifies the state of Pax Web.
>> 
>> kind regards
>> Grzegorz Grzybek
>> 
>> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré > 
>> napisał(a):
>> Hi,
>> 
>> It’s already plan and I have Pax Web releases on the way, including this and 
>> other fixes.
>> 
>> So, don’t worry, we will have the Pax Web releases tomorrow.
>> 
>> Regards
>> JB
>> 
>>> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J > a 
>>> écrit :
>>> 
>>> I created this issue about the upgrade to Jetty 9.4.39.v20210325 because 
>>> some lower version are impacted by CVE-2021-28165.
>>> 
>>> https://github.com/ops4j/org.ops4j.pax.web/issues/1594 
>>> 
>>> 
>>> I wanted to try to do the change by myself, and I hoped that creating a 
>>> pull request would allow me to run the regression tests but in fact I don't 
>>> know how to trigger these tests. I'm not even sure that I created a commit 
>>> for the right target branch. Could anybody assist me please?
>>> 
>>> Cheers,
>>> Fabien
>>> 
>>> -- 
>>> -- 
>>> --
>>> OPS4J - http://www.ops4j.org  - 
>>> op...@googlegroups.com <>
>>> 
>>> --- 
>>> You received this message because you are subscribed to the Google Groups 
>>> "OPS4J" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ops4j+un...@googlegroups.com <>.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com
>>>  
>>> .
>> 
>> 
>> -- 
>> -- 
>> --
>> OPS4J - 

Re: upgrade to Jetty 9.4.39.v20210325

['Fabien S' via OPS4J]

Hi all,
Would you have any idea when a new version 7.4.2 of Pax Web would be 
available? In the projects of my company, we have to make the decision 
either to wait for it, or to release our software without upgrading Pax Web 
(and possibly applying some workarounds to prevent the Deny of service 
vulnerability).

Cheers,
Fabien

On Tuesday, 13 April 2021 at 09:18:01 UTC+2 jeanbapti...@gmail.com wrote:

> I’m doing on all branches.
>
> Regards
> JB
>
> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek  a écrit :
>
> Hello
>
> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main` 
> branch, because I've already updated it locally in very not-ready-yet code.
>
> regards
> Grzegorz
>
> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J  
> napisał(a):
>
>> Hi, thank you a lot for your help and explanations!
>> Regarding the vulnerability, maybe it's possible to include in the code 
>> of the application this work-around:
>>
>> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
>> but I'm not sure it would handle all the cases, so relying on an official 
>> fix from Jetty would be safer.
>>
>> Cheers,
>> Fabien
>>
>> On Monday, 12 April 2021 at 20:50:48 UTC+2 gr.gr...@gmail.com wrote:
>>
>>> Hello
>>>
>>> Just an information about Pax Web and main branch. I've recently renamed 
>>> "master-improvements" branch to "main" - I had two goals with this action:
>>>  - show that my long-developed "master-improvements" branch, where I've 
>>> literally refactored big part of Pax Web (to adjust to new Whiteboard 
>>> requirements) is ready to be worked on by others
>>>  - adjust to new standards, where "main" is the new "master"
>>>
>>> Unfortunately this new "main" branch is still far from being released (I 
>>> had few months break again and I have to "feel" it again) and usual 
>>> practice, where some change is always made in newest branch and then 
>>> backported to maintenance branches. "main" branch is MUCH different than 
>>> pax-web-7.2.x – pax-web-7.4.x branches.
>>>
>>> Also, remember that 3 active maintenance branches of Pax Web are:
>>>  - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat 
>>> 8 and Undertow 1.x - the branch using Servlet API 3.1
>>>  - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 
>>> and Undertow 2.0.x - the branch using Servlet API 4
>>>  - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 
>>> and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x 
>>> which "got back" OSGi metadata since 2.2.5.Final (
>>> https://issues.redhat.com/browse/UNDERTOW-1852)
>>>
>>> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN 
>>> 7 implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 
>>> specification, but it reaally required lots of fundamental changes, 
>>> I was describing for at least a year).
>>>
>>> I hope this clarifies the state of Pax Web.
>>>
>>> kind regards
>>> Grzegorz Grzybek
>>>
>>> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré  
>>> napisał(a):
>>>
 Hi,

 It’s already plan and I have Pax Web releases on the way, including 
 this and other fixes.

 So, don’t worry, we will have the Pax Web releases tomorrow.

 Regards
 JB

 Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J  
 a écrit :

 I created this issue about the upgrade to Jetty 9.4.39.v20210325 
 because some lower version are impacted by CVE-2021-28165.

 https://github.com/ops4j/org.ops4j.pax.web/issues/1594

 I wanted to try to do the change by myself, and I hoped that creating a 
 pull request would allow me to run the regression tests but in fact I 
 don't 
 know how to trigger these tests. I'm not even sure that I created a commit 
 for the right target branch. Could anybody assist me please?

 Cheers,
 Fabien

 -- 
 -- 
 --
 OPS4J - http://www.ops4j.org - op...@googlegroups.com

 --- 
 You received this message because you are subscribed to the Google 
 Groups "OPS4J" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ops4j+un...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com
  
 
 .



 -- 
 -- 
 --
 OPS4J - http://www.ops4j.org - op...@googlegroups.com

 --- 
 You received this message because you are subscribed to the Google 
 Groups "OPS4J" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ops4j+un...@googlegroups.com.

>>> To view this discussion on the web visit