ahgittin opened a new pull request #1285: URL: https://github.com/apache/brooklyn-server/pull/1285
This bumps Karaf to a pre-release Karaf 4.3.4 which uses log4j 2.16.0 which avoids the CVE-2021-44228 vulnerability. This uses the staging repo for that version of karaf. When released we should remove the two references to the repo `orgapachekaraf-1165` as they will no longer be necessary and will eventually become unavailable. The new version of Karaf appears to work fine, but two things should be checked: * Newer version of bouncycastle used by this Karaf -- does SSH via jclouds still work? Previously upgrading this version has been problematic. * Older version of Jackson used -- less than what Karaf wants -- seems not to cause problems though there is a new `ERROR BundleWiring is null for: javax.mail [3]` in the log; more testing is needed, or update Brooklyn code to work with the newer version of Jackson (the issue is that the jackson method overridden by our `AsPropertyIfAmbiguous._deserializeTypedForId` is no longer available, and deseriailzation requires this in some cases; there is a unit test which fails if this is not invoked) We will merge this as the log4j bug is severe and @jcabrerizo has reviewed (actually he did most the work and I reviewed!) -- and we will do testing on the release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
