commit | 2eeda0020a945d7aa224bee0b69109fc4c5c0865 | [log] [tgz] |
---|---|---|
author | Sachin Pattan <sachin.pattan@sap.com> | Wed Oct 21 10:44:38 2020 +0200 |
committer | GitHub <noreply@github.com> | Wed Oct 21 10:44:38 2020 +0200 |
tree | f2f598327a6dbc7c4beba07737422f4e7d502ea8 | |
parent | 7144f711b41f5f671cb10f5b270b7f539e0c4db4 [diff] |
CVE-2020-13956:Update httpclient.version to 4.5.13 As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587, http.client librarires below version 4.5.13 have the vulnerability CVE-2020-13956. As Karaf rebundles http.client classes as seen at https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180 This makes it vulnerable and hence our security scans are detecting it as a vulnerable library. And hence updating the httpclient.version to 4.5.13.
Apache Karaf is a modulith runtime, supporting several frameworks and programming model (REST/API, web, spring boot, ...). It provides turnkey features that you can directly leverage without effort, packaged as mutable or immutable application.
For an Apache Karaf source distribution, please read BUILDING.md for instructions on building Apache Karaf.
For an Apache Karaf binary distribution, please read RELEASE-NOTES.md for installation instructions and list of supported and unsupported features.
The PDF manual is the right place to find any information about Karaf.
The examples provide a bunch of turnkey minimal applications that you can deploy in Apache Karaf and extend/template as you want.
To get involved in Apache Karaf:
We also have a contributor's guide.
Many thanks for using Apache Karaf.
The Apache Karaf Team