+1 -Dan
On Mon, Apr 6, 2020 at 10:30 AM Bruce Schuchardt <bschucha...@pivotal.io> wrote: > +1 to backport to support/1.12 > > On 4/6/20, 8:55 AM, "Owen Nichols" <onich...@pivotal.io> wrote: > > Recently some Geode users have expressed concern that shiro-1.4.1.jar > is getting flagged for critical security vulnerability CVE-2020-1957. > > Analysis shows that Geode does not use Shiro in a manner that would > expose this vulnerability, so maybe there is no need to backport GEODE-7941. > > The risk of bringing GEODE-7941 is very low (Shiro 1.5.2 has no API > changes or other breaking changes relative to 1.4.1; Shiro rolled its minor > version only to make JDK 8 the minimum). GEODE-7941 has passed all tests > on develop. > > I am happy to go either way here, so putting it to a vote. Does > 'making Geode 1.12 look better to automated vulnerability scans' qualify as > a ‘critical fix’? A big red flag doesn’t make a good first impression…also > it’s not easy for a user to discover for themselves that Geode is not > actually vulnerable. Bringing this fix to support/1.12 might bolster > users’ confidence in the Geode community and our new support-branch model. > > -Owen > > >
