Hi
Tomcat has been updated in Pax Web 9. Karaf 4.4.7 will be submitted to
vote soon (today), after that I will focus on Karaf 4.5.0 where Pax
Web (and Tomcat) will be updated.
Regards
JB
On Tue, Jan 14, 2025 at 1:34 PM Martin Zukal via user
<user@karaf.apache.org> wrote:
>
> Hi Stephan,
>
> Thanks for hint and thank you for sharing your karaf-maven-plugin
> configuration.
>
> I am using startupFeatures but if I specify the version it works too. So I
> have now Apache Karaf 4.4.3 with pax-web 8.0.29.
>
> Thank you for help!
>
> Best regards
>
> Martin
>
>
>
> From: Siano, Stephan <stephan.si...@sap.com>
> Sent: Tuesday, January 14, 2025 12:45 PM
> To: user@karaf.apache.org; Martin Zukal <martin.zu...@stabilit.ch>
> Subject: RE: upgrade apache tomcat bundled in pax-web
>
>
>
> Hi Martin,
>
>
>
> Tomcat is strongly merged into the pax-web bundles, so you won’t get any
> progress without updating the tomcat version in pax-web and have a new
> pax-web version. Maybe you open a JIRA task there (or even create a
> contribution in the pax-web project).
>
>
>
> The idea is that in the project where you build the assembly you add the
> following maven dependency:
>
> <dependency>
>
> <groupId>org.ops4j.pax.web</groupId>
>
> <artifactId>pax-web-features</artifactId>
>
> <classifier>features</classifier>
>
> <type>xml</type>
>
> <version>${pax.web.version}</version>
>
> <scope>runtime</scope>
>
> </dependency>
>
>
>
> Then the configuration of the karaf maven plugin looks like this:
>
> <plugin>
>
> <groupId>org.apache.karaf.tooling</groupId>
>
> <artifactId>karaf-maven-plugin</artifactId>
>
> <extensions>true</extensions>
>
> <configuration>
>
> <framework>framework-logback</framework>
>
> <!-- no startupFeatures -->
>
> <bootFeatures>
>
> <feature>standard</feature>
>
> <feature>pax-web-tomcat/${pax.web.version}</feature>
>
>
> <feature>pax-web-tomcat-websockets/${pax.web.version}</feature>
>
>
> <feature>pax-web-http-tomcat/${pax.web.version}</feature>
>
> <feature>pax-web-war/${pax.web.version}</feature>
>
>
> <feature>pax-web-whiteboard/${pax.web.version}</feature>
>
> <feature>pax-web-jsp/${pax.web.version}</feature>
>
> ...
>
> </bootFeatures>
>
> <!-- no installedFeatures -->
>
> </configuration>
>
> </plugin>
>
>
>
> Best regards
>
> Stephan
>
>
>
> From: Martin Zukal via user <user@karaf.apache.org>
> Sent: Tuesday, 14 January 2025 12:20
> To: user@karaf.apache.org
> Subject: RE: upgrade apache tomcat bundled in pax-web
>
>
>
> Hi Stephan,
>
> Thanks for response! Good to hear that.
>
> Do I understand correctly that you install the new pax-web version as an
> additional feature (maybe with <startupFeature>) and leave the original
> version provided by karaf there as well? Using pax-web 8.0.29 would help a
> lot but if I want to really use the newest tomcat version it is still not
> sufficient so I continue investigating on that.
>
> Best regards
>
> Martin
>
>
>
>
>
> From: Siano, Stephan <stephan.si...@sap.com>
> Sent: Tuesday, January 14, 2025 11:17 AM
> To: user@karaf.apache.org; Martin Zukal <martin.zu...@stabilit.ch>
> Subject: RE: upgrade apache tomcat bundled in pax-web
>
>
>
> Hi Martin,
>
>
>
> It is possible to have a newer pax-web version (including pax-web-tomcat)
> with a custom karaf distribution. We are currently using karaf 4.4.6 with
> pax-web 8.0.29.
>
> Concerning security scans: I haven’t managed to make the karaf-maven-plugin
> to not install the pax-web-version that comes with the Karaf version (8.0.27
> in the case of Karaf 4.4.6) into the repository as well (so you have two
> versions of pax-web in the karaf repository). This means that code scans will
> still find the old Tomcat version even though only the newer one is installed
> into the running Karaf container.
>
>
>
> Best regards
>
> Stephan
>
>
>
> From: Martin Zukal via user <user@karaf.apache.org>
> Sent: Tuesday, 14 January 2025 10:37
> To: user@karaf.apache.org
> Subject: upgrade apache tomcat bundled in pax-web
>
>
>
> Hello everyone,
>
> We received results of a security scan of our application running on Apache
> Karaf 4.4.3. One of the issues is that there is an old and vulnerable
> component in use. It is the Apache Tomcat version 9.0.70 in particular. This
> comes from the pax-web feature (version 8.0.15 in karaf 4.4.3).
>
> I checked what version of pax-web is used in Karaf 4.4.6 and found out that
> it is 8.0.27. According to what I was able to find version 8.0.27 of pax web
> uses Apache Tomcat version 9.0.87. Unfortunately this version of Tomcat has
> still some known vulnerabilities (see
> https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.87).
> Even the newest version of pax-web (8.0.29) uses a vulnerable version of
> Apache Tomcat – 9.0.96 (see
> https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.96).
> The only 9.x version of Tomcat without vulnerabilities is 9.0.98.
>
> My question is whether it is possible to upgrade just the tomcat feature
> (pax-web-tomcat). If so how can I do that? Is it possible to configure the
> karaf-maven-plugin to package the newest version of tomcat in the assembly?
>
> Best Regards
>
> Martin Zukal
>
>
>
>
