Hi everyone! How exactly does blacklisting works? Is there some documenation? Does it mean that the blacklisted bundle is not packaged in the system directory of the custom karaf distribution? That would be exactly what I would like to achieve in a scenario where I install newer version of pax-web feature and I would like to remove the old one completely from the karaf distribution.
Best regards, Martin Zukal Senior Software Developer STABILIT Informatik AG Augustin Keller-Strasse 31, 5600 Lenzburg, Switzerland T:+41 62 724 08 48 [email protected]<mailto:[email protected]> www.stabilit.ch<http://www.stabilit.ch/> From: João Assunção <[email protected]> Sent: Thursday, April 17, 2025 11:22 AM To: [email protected] Cc: [email protected] Subject: Re: Remove/upgrade Snakeyaml library (CVE-2022-1471) Hello all, I use Karaf's feature processing to blacklist bundles. For example, I use this capability to exclude the cxf bundle cxf-rt-rs-service-description in a custom karaf distribution. <?xml version="1.0" encoding="UTF-8"?> <featuresProcessing xmlns="http://karaf.apache.org/xmlns/features-processing/v1.0.0"; xmlns:f="http://karaf.apache.org/xmlns/features/v1.6.0";> <blacklistedBundles> <bundle>mvn:org.apache.cxf/cxf-rt-rs-service-description</bundle> </blacklistedBundles> </featuresProcessing> Best regards, João On Wed, Apr 16, 2025 at 10:20 PM Matt Pavlovich <[email protected]<mailto:[email protected]>> wrote: Hi Jose- Yes, you would need to update the feature file (or other deployment approach) that references that and override it there. If your project does not use snakeyaml, you may be able to safely remove it. Snakeyaml is most likely being pulled in by the JSON support features cxf-jaxrs-jackson (or similar). Keep in mind, newer patched dependency libraries are starting to require JDK 11 (and possibly JDK 17, since JDK 11 is also nearing end-of-life). You are probably starting down a path that involves more than upgrading just the single snakeyaml library. Thanks Matt Pavlovich On Apr 16, 2025, at 1:34 PM, [email protected]<mailto:[email protected]> wrote: Karaf folks, We have a Project with Karaf 4.2.16 and java 8, in the project is used the CXF features and looks like this is including the snakeyaml 1.33, we want to remove or upgrade it to avoid getting the CVE-2022-1471 vulnerability In Karaf exist a way to solve this? Just FYI , this is the library <!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml --> <dependency> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <version>2.0</version> </dependency>
