Hi You can create your own custom Karaf distribution upgrading PaxWeb/Jetty.
Or you can update to the latest Karaf version. Regards JB On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < mailbox.chandansi...@gmail.com> wrote: > Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the > latest jetty version ? > > Regards > Chandan > > On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com> > wrote: > >> Hello >> >> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It >> comes with a warning: >> >> Please beware, for this feature to run properly you'll need to add the >> alpn-boot.jar to the >> lib/ext folder of Karaf in some cases of your JVM. >> >> So it's kind of not working by default. But it depends on how smart (or >> dumb, which is more often probably...) the scanner is. When you start fresh >> Karaf you don't even have HTTP server running at all. So it's kind of "safe >> by default". But you can install any bundle there - whether or not it comes >> from standard Karaf features. >> >> In other words - I don't have good answer... I just wanted to communicate >> that it's not an easy question ;) >> >> regards >> Grzegorz Grzybek >> >> czw., 22 lut 2024 o 13:47 Richard Hierlmeier <rhierlme...@googlemail.com> >> napisał(a): >> >>> We did already a security scan, it detected CVE-2023-36478 and >>> CVE-2023-44487 >>> >>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not >>> possible in Karaf 4.3. >>> >>> Can someone confirm this assumption. >>> >>> Regards >>> >>> Richard >>> >>> >>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < >>> mailbox.chandansi...@gmail.com>: >>> >>>> Hi All , >>>> >>>> During a recent Security Scan we found a vulnerability reported >>>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>>> any recommendations on the same ? >>>> >>>> [image: image.png] >>>> >>>> >>>> Regards >>>> Chandan >>>> >>>