Hi Doug, Jetty 9.4.21 has been released on September 27th.
I created the Jira both in Pax Web and Jetty (https://issues.apache.org/jira/browse/KARAF-6446 | https://ops4j1.jira.com/browse/PAXWEB-1237). I can release Karaf 4.2.8 before December, not a problem, especially to address a security issue. Regarding your question, just upgrading Karaf standard features XML won't be enough. You would need to update Pax Web as well. Let me move forward fast on that. Regards JB On 04/10/2019 00:33, Jackson, Douglas wrote: > Hi! > > It seems that there are security holes in the jetty implementations used > by karaf versions up to 4.2.7. The link to the > > Eclipse site that describes the defects is here: > > https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html > > It appears that 4.2.8 is coming out in late December which is a bit late > for us to use it in the next version of our product that uses karaf. > > So, I was wondering how dangerous it would be for me to edit the > standard feature in karaf 4.2.6 and replace the jetty dependencies there > with references to jetty 9.4.21.<x>? I see no version of 9.4.21 is > available on the mavenrepository.com yet. > > > > Note: I have not compared karaf 4.2.7 with karaf 4.2.6 yet, but I see it > upgraded jetty to 9.4.20.x which unfortunately is not going to work for us. > > Thanks, > > Doug > > > > Ps. I see it is possible to use tomcat rather than jetty – would that be > a better route to go? That looks difficult for us because we have camel > configuring jetty engines in spring beans xml. So, it would require > reconfiguring cxf/camel to use tomcat. I guess if anyone has experience > with how difficult that is I would appreciate hearing about it. > > > > > > > -- Jean-Baptiste Onofré [email protected] http://blog.nanthrax.net Talend - http://www.talend.com
