search

openhab / openhab-distro

The binary distribution of openHAB
https://www.openhab.org/
Eclipse Public License 2.0
1.3k stars 391 forks source link

Upgrade Karaf / Jetty to address security issue #1641

Closed holgerfriedrich closed 5 months ago

holgerfriedrich commented 7 months ago

Jetty is affected by CVE-2024-22201 (in short: leaking file descriptors when TCP connections are in state congested).

This is fixed in Jetty 9.4.54, which will be integrated in the upcoming Karaf 4.4.6 release. See https://github.com/apache/karaf/activity?ref=karaf-4.4.x

This ticket is to track activities related to the integration of Karaf 4.4.6.

holgerfriedrich commented 7 months ago

@wborn FYI

I have already created a branch for core which uses Karaf 4.4.6-SNAPSHOT. Luckily we have already upgraded to 4.4.5, which is very close to the upcoming 4.4.6.

I am stuck with one problem: Currently, 4.4.x branch contains an update of ASM package to 9.7, breaking the feature verification (xtext is on 9.6). I am not able to modify the dependencies to make it work.

If I roll back Karaf 4.4.6-SNAPSHOT to 9.6, I am able to compile.

https://github.com/apache/karaf/pull/1832#issuecomment-2029262743

holgerfriedrich commented 7 months ago

Karaf 4.4.6 has just been released, see changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12354057

It includes the fixes for Jetty, but relies on ASM 9.7 (which does not match xtext release, which is still at 9.6).