In that case, please double check first if you are actually impacted by the CVE.
It's possible to tweak your karaf version by updating, but you have to do it "cold". Regards JB On Mon, Mar 4, 2024 at 6:21 AM Chandan Singh <mailbox.chandansi...@gmail.com> wrote: > > Hi JB , > > Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 version? > We are already in prod and I cannot upgrade to a new Karaf version . > > Regards > Chandan > > On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: >> >> Hi >> >> You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. >> >> Or you can update to the latest Karaf version. >> >> Regards >> JB >> >> On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh >> <mailbox.chandansi...@gmail.com> wrote: >>> >>> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >>> latest jetty version ? >>> >>> Regards >>> Chandan >>> >>> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com> >>> wrote: >>>> >>>> Hello >>>> >>>> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It >>>> comes with a warning: >>>> >>>> Please beware, for this feature to run properly you'll need to add the >>>> alpn-boot.jar to the >>>> lib/ext folder of Karaf in some cases of your JVM. >>>> >>>> So it's kind of not working by default. But it depends on how smart (or >>>> dumb, which is more often probably...) the scanner is. When you start >>>> fresh Karaf you don't even have HTTP server running at all. So it's kind >>>> of "safe by default". But you can install any bundle there - whether or >>>> not it comes from standard Karaf features. >>>> >>>> In other words - I don't have good answer... I just wanted to communicate >>>> that it's not an easy question ;) >>>> >>>> regards >>>> Grzegorz Grzybek >>>> >>>> czw., 22 lut 2024 o 13:47 Richard Hierlmeier <rhierlme...@googlemail.com> >>>> napisał(a): >>>>> >>>>> We did already a security scan, it detected CVE-2023-36478 and >>>>> CVE-2023-44487 >>>>> >>>>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not possible >>>>> in Karaf 4.3. >>>>> >>>>> Can someone confirm this assumption. >>>>> >>>>> Regards >>>>> >>>>> Richard >>>>> >>>>> >>>>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh >>>>> <mailbox.chandansi...@gmail.com>: >>>>>> >>>>>> Hi All , >>>>>> >>>>>> During a recent Security Scan we found a vulnerability reported >>>>>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>>>>> any recommendations on the same ? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards >>>>>> Chandan
