Upgrade Karaf / Jetty to address security issue #1641
Comments
|
@wborn FYI I have already created a branch for core which uses Karaf 4.4.6-SNAPSHOT. Luckily we have already upgraded to 4.4.5, which is very close to the upcoming 4.4.6. I am stuck with one problem: Currently, 4.4.x branch contains an update of ASM package to 9.7, breaking the feature verification (xtext is on 9.6). I am not able to modify the dependencies to make it work. If I roll back Karaf 4.4.6-SNAPSHOT to 9.6, I am able to compile. |
|
Karaf 4.4.6 has just been released, see changelog: It includes the fixes for Jetty, but relies on ASM 9.7 (which does not match xtext release, which is still at 9.6). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jetty is affected by CVE-2024-22201 (in short: leaking file descriptors when TCP connections are in state congested).
This is fixed in Jetty 9.4.54, which will be integrated in the upcoming Karaf 4.4.6 release. See https://github.com/apache/karaf/activity?ref=karaf-4.4.x
This ticket is to track activities related to the integration of Karaf 4.4.6.
The text was updated successfully, but these errors were encountered: