No worries about OSGi ;) Pax Web doesn't have plans to upgrade to Undertow 2.1+ for now. And if it does, It'll repackage and re-export it with version 2.2. So (Pax Web 9?) it'll be the OSGi repackaging of Undertow (maybe in addition to SMX bundle).
regards Grzegorz Grzybek pt., 29 sty 2021 o 16:29 Freeman Fang <[email protected]> napisał(a): > Hi Colm and Grzegorz, > > Based on the facts > 1. The CVE got fixed since Undertow 2.2.0(not in 2.1.5). > 2. since Undertow 2.1.0, there is no OSGi support > 3. CXF 3.4.x uses Undertow 2.1.x already > 4. CXF OSGi features.xml cxf-http-undertow feature reuse > pax-http-undertow, so always reuse the undertow version shipped with OPS4J > PAX-WEB. > <feature name="cxf-http-undertow" version="${project.version}"> > <feature version="${project.version}">cxf-http</feature> > <feature>pax-http-undertow</feature> > <bundle > start-level="40">mvn:org.apache.cxf/cxf-rt-transports-http-undertow/${project.version}</bundle> > <capability> > cxf.http.provider;name=undertow > </capability> > </feature> > So any upgrade to undertow 2.2.x won't affect the CXF behavior in OSGi, > though it's true that in OSGi very hard to pick up later undertow release. > > In summary, I will upgrade undertow version to 2.23, at least outside OSGi > we can pick up this CVE fix. > > Cheers > Freeman > > On Fri, Jan 29, 2021 at 5:55 AM Colm O hEigeartaigh <[email protected]> > wrote: > >> Hi Grzegorz, >> >> Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and >> the CVE information was out of date :-) >> >> Colm. >> >> On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek <[email protected]> >> wrote: >> >>> Hello >>> >>> Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that >>> it's no longer an OSGi bundle (see >>> https://issues.redhat.com/browse/UNDERTOW-1684) - if this matter at all >>> for CXF :) >>> >>> kind regards >>> Grzegorz Grzybek >>> >>> pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh <[email protected]> >>> napisał(a): >>> >>>> Hey Freeman, >>>> >>>> Can you check if the latest Undertow 2.1.x release (2.1.5) is still >>>> vulnerable to this CVE? >>>> >>>> https://nvd.nist.gov/vuln/detail/CVE-2020-10687 >>>> >>>> If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see >>>> Camel >>>> has already updated. >>>> >>>> Thanks, >>>> >>>> Colm. >>>> >>>
