Hello Fabien As I've mentioned in the announcement email[1]:
I'd like to announce that I've just released Pax Web 7.4.0 that should NOT > be treated as direct replacement of existing 7.2.x and 7.3.x lines. > > The purpose of this release is to leverage > https://issues.redhat.com/browse/UNDERTOW-1852 issue, which brought back > OSGi support to Undertow. > So Pax Web 7.4.x should be treated as tech preview version of Pax web 7.3.x which was ALSO a tech preview (because of incomplete Servlet API 4 implementation - only Undertow 2.0.x and Tomcat 9 are Servlet API 4 compatible, Jetty 9.4 is still Servlet API 3.1). But I believe 7.3 is well established now, so there's really nothing "better" in Pax Web 7.4 except more dependencies on Wildfly libraries (because surprisingly, XNIO after 3.3.x requires more JBoss/Wildfly libraries, some of which are not proper OSGi bundles). kind regards Grzegorz Grzybek [1]: https://groups.google.com/g/ops4j-announcement/c/_mEbz_sAx40 pon., 17 maj 2021 o 11:13 'Fabien S' via OPS4J <[email protected]> napisał(a): > Hi all, > Would you have any idea when a new version 7.4.2 of Pax Web would be > available? In the projects of my company, we have to make the decision > either to wait for it, or to release our software without upgrading Pax Web > (and possibly applying some workarounds to prevent the Deny of service > vulnerability). > > Cheers, > Fabien > > On Tuesday, 13 April 2021 at 09:18:01 UTC+2 [email protected] wrote: > >> I’m doing on all branches. >> >> Regards >> JB >> >> Le 13 avr. 2021 à 08:30, Grzegorz Grzybek <[email protected]> a écrit : >> >> Hello >> >> Yes - an upgrade to Jetty 9.4.39 is fine. Just no need to do it in `main` >> branch, because I've already updated it locally in very not-ready-yet code. >> >> regards >> Grzegorz >> >> wt., 13 kwi 2021 o 08:25 'Fabien S' via OPS4J <[email protected]> >> napisał(a): >> >>> Hi, thank you a lot for your help and explanations! >>> Regarding the vulnerability, maybe it's possible to include in the code >>> of the application this work-around: >>> >>> https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w >>> but I'm not sure it would handle all the cases, so relying on an >>> official fix from Jetty would be safer. >>> >>> Cheers, >>> Fabien >>> >>> On Monday, 12 April 2021 at 20:50:48 UTC+2 [email protected] wrote: >>> >>>> Hello >>>> >>>> Just an information about Pax Web and main branch. I've recently >>>> renamed "master-improvements" branch to "main" - I had two goals with this >>>> action: >>>> - show that my long-developed "master-improvements" branch, where I've >>>> literally refactored big part of Pax Web (to adjust to new Whiteboard >>>> requirements) is ready to be worked on by others >>>> - adjust to new standards, where "main" is the new "master" >>>> >>>> Unfortunately this new "main" branch is still far from being released >>>> (I had few months break again and I have to "feel" it again) and usual >>>> practice, where some change is always made in newest branch and then >>>> backported to maintenance branches. "main" branch is MUCH different than >>>> pax-web-7.2.x – pax-web-7.4.x branches. >>>> >>>> Also, remember that 3 active maintenance branches of Pax Web are: >>>> - pax-web-7.2.x - the branch used by Karaf 4.2.x, with Jetty 9, Tomcat >>>> 8 and Undertow 1.x - the branch using Servlet API 3.1 >>>> - pax-web-7.3.x - the "tech preview branch 1" with Jetty 9, Tomcat 9 >>>> and Undertow 2.0.x - the branch using Servlet API 4 >>>> - pax-web-7.4.x - the "tech preview branch 2" with Jetty 9, Tomcat 9 >>>> and Undertow 2.2.x - the branch using Servlet API 4 and Undertow 2.2.x >>>> which "got back" OSGi metadata since 2.2.5.Final ( >>>> https://issues.redhat.com/browse/UNDERTOW-1852) >>>> >>>> Karaf 4.3.x chose pax-web-7.3.x despite it's still not proper OSGi CMPN >>>> 7 implementation (the goal is to have Pax Web 8 compliant to OSGi CMPN 7 >>>> specification, but it reaaaaaaaaaally required lots of fundamental changes, >>>> I was describing for at least a year). >>>> >>>> I hope this clarifies the state of Pax Web. >>>> >>>> kind regards >>>> Grzegorz Grzybek >>>> >>>> pon., 12 kwi 2021 o 20:26 Jean-Baptiste Onofré <[email protected]> >>>> napisał(a): >>>> >>>>> Hi, >>>>> >>>>> It’s already plan and I have Pax Web releases on the way, including >>>>> this and other fixes. >>>>> >>>>> So, don’t worry, we will have the Pax Web releases tomorrow. >>>>> >>>>> Regards >>>>> JB >>>>> >>>>> Le 12 avr. 2021 à 18:25, 'Fabien S' via OPS4J <[email protected]> >>>>> a écrit : >>>>> >>>>> I created this issue about the upgrade to Jetty 9.4.39.v20210325 >>>>> because some lower version are impacted by CVE-2021-28165. >>>>> >>>>> https://github.com/ops4j/org.ops4j.pax.web/issues/1594 >>>>> >>>>> I wanted to try to do the change by myself, and I hoped that creating >>>>> a pull request would allow me to run the regression tests but in fact I >>>>> don't know how to trigger these tests. I'm not even sure that I created a >>>>> commit for the right target branch. Could anybody assist me please? >>>>> >>>>> Cheers, >>>>> Fabien >>>>> >>>>> -- >>>>> -- >>>>> ------------------ >>>>> OPS4J - http://www.ops4j.org - [email protected] >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "OPS4J" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ops4j/c195a8ad-7e90-47ff-b4ff-aa0435e58528n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> ------------------ >>>>> OPS4J - http://www.ops4j.org - [email protected] >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "OPS4J" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com >>>>> <https://groups.google.com/d/msgid/ops4j/98638032-D996-4E58-BC9E-42B18FD34872%40gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>> -- >>> -- >>> ------------------ >>> OPS4J - http://www.ops4j.org - [email protected] >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "OPS4J" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ops4j/744966d3-b9a5-42b6-adf1-4aeb394b8ec4n%40googlegroups.com >>> <https://groups.google.com/d/msgid/ops4j/744966d3-b9a5-42b6-adf1-4aeb394b8ec4n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> -- >> ------------------ >> OPS4J - http://www.ops4j.org - [email protected] >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/CAAdXmhoyHLbwWbek3iu6R%2B0wYAqpkaUR0nYSeF%2B%2BT2WFqtjYXg%40mail.gmail.com >> <https://groups.google.com/d/msgid/ops4j/CAAdXmhoyHLbwWbek3iu6R%2B0wYAqpkaUR0nYSeF%2B%2BT2WFqtjYXg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- > -- > ------------------ > OPS4J - http://www.ops4j.org - [email protected] > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/a4795c89-9d7a-4aae-882d-c3ef951ca3b3n%40googlegroups.com > <https://groups.google.com/d/msgid/ops4j/a4795c89-9d7a-4aae-882d-c3ef951ca3b3n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/CAAdXmhqOTDvqGN9sgpk_zLHJ-%2BbuxtX-4Re_wug784_aaczHKg%40mail.gmail.com.
