Hi You can create your own custom Karaf distribution upgrading PaxWeb/Jetty.
Or you can update to the latest Karaf version. Regards JB On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < [email protected]> wrote: > Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the > latest jetty version ? > > Regards > Chandan > > On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <[email protected]> > wrote: > >> Hello >> >> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It >> comes with a warning: >> >> Please beware, for this feature to run properly you'll need to add the >> alpn-boot.jar to the >> lib/ext folder of Karaf in some cases of your JVM. >> >> So it's kind of not working by default. But it depends on how smart (or >> dumb, which is more often probably...) the scanner is. When you start fresh >> Karaf you don't even have HTTP server running at all. So it's kind of "safe >> by default". But you can install any bundle there - whether or not it comes >> from standard Karaf features. >> >> In other words - I don't have good answer... I just wanted to communicate >> that it's not an easy question ;) >> >> regards >> Grzegorz Grzybek >> >> czw., 22 lut 2024 o 13:47 Richard Hierlmeier <[email protected]> >> napisał(a): >> >>> We did already a security scan, it detected CVE-2023-36478 and >>> CVE-2023-44487 >>> >>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not >>> possible in Karaf 4.3. >>> >>> Can someone confirm this assumption. >>> >>> Regards >>> >>> Richard >>> >>> >>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < >>> [email protected]>: >>> >>>> Hi All , >>>> >>>> During a recent Security Scan we found a vulnerability reported >>>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>>> any recommendations on the same ? >>>> >>>> [image: image.png] >>>> >>>> >>>> Regards >>>> Chandan >>>> >>>
