Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the latest jetty version ?
Regards Chandan On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com> wrote: > Hello > > Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It > comes with a warning: > > Please beware, for this feature to run properly you'll need to add the > alpn-boot.jar to the > lib/ext folder of Karaf in some cases of your JVM. > > So it's kind of not working by default. But it depends on how smart (or > dumb, which is more often probably...) the scanner is. When you start fresh > Karaf you don't even have HTTP server running at all. So it's kind of "safe > by default". But you can install any bundle there - whether or not it comes > from standard Karaf features. > > In other words - I don't have good answer... I just wanted to communicate > that it's not an easy question ;) > > regards > Grzegorz Grzybek > > czw., 22 lut 2024 o 13:47 Richard Hierlmeier <rhierlme...@googlemail.com> > napisał(a): > >> We did already a security scan, it detected CVE-2023-36478 and >> CVE-2023-44487 >> >> Both CVEs are related to HTTP2. I have thought that HTTP2 is not possible >> in Karaf 4.3. >> >> Can someone confirm this assumption. >> >> Regards >> >> Richard >> >> >> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < >> mailbox.chandansi...@gmail.com>: >> >>> Hi All , >>> >>> During a recent Security Scan we found a vulnerability reported >>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>> any recommendations on the same ? >>> >>> [image: image.png] >>> >>> >>> Regards >>> Chandan >>> >>
