Recently some Geode users have expressed concern that shiro-1.4.1.jar is getting flagged for critical security vulnerability CVE-2020-1957.
Analysis shows that Geode does not use Shiro in a manner that would expose this vulnerability, so maybe there is no need to backport GEODE-7941. The risk of bringing GEODE-7941 is very low (Shiro 1.5.2 has no API changes or other breaking changes relative to 1.4.1; Shiro rolled its minor version only to make JDK 8 the minimum). GEODE-7941 has passed all tests on develop. I am happy to go either way here, so putting it to a vote. Does 'making Geode 1.12 look better to automated vulnerability scans' qualify as a ‘critical fix’? A big red flag doesn’t make a good first impression…also it’s not easy for a user to discover for themselves that Geode is not actually vulnerable. Bringing this fix to support/1.12 might bolster users’ confidence in the Geode community and our new support-branch model. -Owen
