+1 to backport
> On Apr 6, 2020, at 8:54 AM, Owen Nichols <onich...@pivotal.io> wrote:
>
> Recently some Geode users have expressed concern that shiro-1.4.1.jar is
> getting flagged for critical security vulnerability CVE-2020-1957.
>
> Analysis shows that Geode does not use Shiro in a manner that would expose
> this vulnerability, so maybe there is no need to backport GEODE-7941.
>
> The risk of bringing GEODE-7941 is very low (Shiro 1.5.2 has no API changes
> or other breaking changes relative to 1.4.1; Shiro rolled its minor version
> only to make JDK 8 the minimum). GEODE-7941 has passed all tests on develop.
>
> I am happy to go either way here, so putting it to a vote. Does 'making
> Geode 1.12 look better to automated vulnerability scans' qualify as a
> ‘critical fix’? A big red flag doesn’t make a good first impression…also
> it’s not easy for a user to discover for themselves that Geode is not
> actually vulnerable. Bringing this fix to support/1.12 might bolster users’
> confidence in the Geode community and our new support-branch model.
>
> -Owen
