Hi all, Would you have any idea when a new version 7.4.2 of Pax Web would be available? In the projects of my company, we have to make the decision either to wait for it, or to release our software without upgrading Pax Web (and possibly applying some workarounds to prevent the Deny of service vulnerability).
Cheers, Fabien On Tuesday, 13 April 2021 at 09:18:01 UTC+2 [email protected] wrote: > I’m doing on all branches. > > Regards > JB > > Le 13 avr. 2021 à 08:30, Grzegorz Grzybek <[email protected]> a écrit : > > Hello > > Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main` > branch, because I've already updated it locally in very not-ready-yet code. > > regards > Grzegorz > > wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J <[email protected]> > napisał(a): > >> Hi, thank you a lot for your help and explanations! >> Regarding the vulnerability, maybe it's possible to include in the code >> of the application this work-around: >> >> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w >> but I'm not sure it would handle all the cases, so relying on an official >> fix from Jetty would be safer. >> >> Cheers, >> Fabien >> >> On Monday, 12 April 2021 at 20:50:48 UTC+2 [email protected] wrote: >> >>> Hello >>> >>> Just an information about Pax Web and main branch. I've recently renamed >>> "master-improvements" branch to "main" - I had two goals with this action: >>> - show that my long-developed "master-improvements" branch, where I've >>> literally refactored big part of Pax Web (to adjust to new Whiteboard >>> requirements) is ready to be worked on by others >>> - adjust to new standards, where "main" is the new "master" >>> >>> Unfortunately this new "main" branch is still far from being released (I >>> had few months break again and I have to "feel" it again) and usual >>> practice, where some change is always made in newest branch and then >>> backported to maintenance branches. "main" branch is MUCH different than >>> pax-web-7.2.x – pax-web-7.4.x branches. >>> >>> Also, remember that 3 active maintenance branches of Pax Web are: >>> - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat >>> 8 and Undertow 1.x - the branch using Servlet API 3.1 >>> - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 >>> and Undertow 2.0.x - the branch using Servlet API 4 >>> - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 >>> and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x >>> which "got back" OSGi metadata since 2.2.5.Final ( >>> https://issues.redhat.com/browse/UNDERTOW-1852) >>> >>> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN >>> 7 implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 >>> specification, but it reaaaaaaaaaally required lots of fundamental changes, >>> I was describing for at least a year). >>> >>> I hope this clarifies the state of Pax Web. >>> >>> kind regards >>> Grzegorz Grzybek >>> >>> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré <[email protected]> >>> napisał(a): >>> >>>> Hi, >>>> >>>> It’s already plan and I have Pax Web releases on the way, including >>>> this and other fixes. >>>> >>>> So, don’t worry, we will have the Pax Web releases tomorrow. >>>> >>>> Regards >>>> JB >>>> >>>> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J <[email protected]> >>>> a écrit : >>>> >>>> I created this issue about the upgrade to Jetty 9.4.39.v20210325 >>>> because some lower version are impacted by CVE-2021-28165. >>>> >>>> https://github.com/ops4j/org.ops4j.pax.web/issues/1594 >>>> >>>> I wanted to try to do the change by myself, and I hoped that creating a >>>> pull request would allow me to run the regression tests but in fact I >>>> don't >>>> know how to trigger these tests. I'm not even sure that I created a commit >>>> for the right target branch. Could anybody assist me please? >>>> >>>> Cheers, >>>> Fabien >>>> >>>> -- >>>> -- >>>> ------------------ >>>> OPS4J - http://www.ops4j.org - [email protected] >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "OPS4J" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> >>>> >>>> -- >>>> -- >>>> ------------------ >>>> OPS4J - http://www.ops4j.org - [email protected] >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "OPS4J" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com >>>> >>>> <https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> -- >> -- >> ------------------ >> OPS4J - http://www.ops4j.org - [email protected] >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/744966d3-b9a5-42b6-adf1-4aeb394b8ec4n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ops4j/744966d3-b9a5-42b6-adf1-4aeb394b8ec4n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - [email protected] > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/CAAdXmhoyHLbwWbek3iu6R%2B0wYAqpkaUR0nYSeF%2B%2BT2WFqtjYXg%40mail.gmail.com > > <https://groups.google.com/d/msgid/ops4j/CAAdXmhoyHLbwWbek3iu6R%2B0wYAqpkaUR0nYSeF%2B%2BT2WFqtjYXg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/a4795c89-9d7a-4aae-882d-c3ef951ca3b3n%40googlegroups.com.
