Hi JB , Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 version? We are already in prod and I cannot upgrade to a new Karaf version .
Regards Chandan On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi > > You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. > > Or you can update to the latest Karaf version. > > Regards > JB > > On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < > mailbox.chandansi...@gmail.com> wrote: > >> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >> latest jetty version ? >> >> Regards >> Chandan >> >> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com> >> wrote: >> >>> Hello >>> >>> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. >>> It comes with a warning: >>> >>> Please beware, for this feature to run properly you'll need to add the >>> alpn-boot.jar to the >>> lib/ext folder of Karaf in some cases of your JVM. >>> >>> So it's kind of not working by default. But it depends on how smart (or >>> dumb, which is more often probably...) the scanner is. When you start fresh >>> Karaf you don't even have HTTP server running at all. So it's kind of "safe >>> by default". But you can install any bundle there - whether or not it comes >>> from standard Karaf features. >>> >>> In other words - I don't have good answer... I just wanted to >>> communicate that it's not an easy question ;) >>> >>> regards >>> Grzegorz Grzybek >>> >>> czw., 22 lut 2024 o 13:47 Richard Hierlmeier <rhierlme...@googlemail.com> >>> napisał(a): >>> >>>> We did already a security scan, it detected CVE-2023-36478 and >>>> CVE-2023-44487 >>>> >>>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not >>>> possible in Karaf 4.3. >>>> >>>> Can someone confirm this assumption. >>>> >>>> Regards >>>> >>>> Richard >>>> >>>> >>>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < >>>> mailbox.chandansi...@gmail.com>: >>>> >>>>> Hi All , >>>>> >>>>> During a recent Security Scan we found a vulnerability reported >>>>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>>>> any recommendations on the same ? >>>>> >>>>> [image: image.png] >>>>> >>>>> >>>>> Regards >>>>> Chandan >>>>> >>>>
