Hi! It seems that there are security holes in the jetty implementations used by karaf versions up to 4.2.7. The link to the Eclipse site that describes the defects is here: https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html It appears that 4.2.8 is coming out in late December which is a bit late for us to use it in the next version of our product that uses karaf. So, I was wondering how dangerous it would be for me to edit the standard feature in karaf 4.2.6 and replace the jetty dependencies there with references to jetty 9.4.21.<x>? I see no version of 9.4.21 is available on the mavenrepository.com yet.
Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it upgraded jetty to 9.4.20.x which unfortunately is not going to work for us. Thanks, Doug Ps. I see it is possible to use tomcat rather than jetty - would that be a better route to go? That looks difficult for us because we have camel configuring jetty engines in spring beans xml. So, it would require reconfiguring cxf/camel to use tomcat. I guess if anyone has experience with how difficult that is I would appreciate hearing about it.
