Hi Karaf Dev team, We need you advice to help Pentaho continue serving the community safely!
We are looking to remove SnakeYaml 2.x. CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471 and upgrade to safe SnakeYaml in our solutions. In our efforts we hit a dependency from Karaf 4.4.x While we managed to substitute the SnakeYaml to 2.x version, we identified further issues with Karaf dependencies like Jackson 2.15+ and CXF 3.6. In particular the CXF 3.6 requires compilation of Karaf with java 11, else will fail in runtime. 1. Do you have same experience? 2. Is there a plan to have Karaf version with safe SnakeYaml? 3. Is there a plan to have a Karaf compiled with Java 11? Any guidance on how we can proceed is welcomed. -- Mladén Milev Senior Engineering Manager Pentaho+ Data Integration and Analytics Hitachi Vantara m: +351 927998189 e: [email protected]<mailto:[email protected]>
