+1 to backport
On 4/6/20, 9:14 AM, "Anthony Baker" <aba...@pivotal.io> wrote:
+1 to backport
> On Apr 6, 2020, at 8:54 AM, Owen Nichols <onich...@pivotal.io> wrote:
>
> Recently some Geode users have expressed concern that shiro-1.4.1.jar is
getting flagged for critical security vulnerability CVE-2020-1957.
>
> Analysis shows that Geode does not use Shiro in a manner that would
expose this vulnerability, so maybe there is no need to backport GEODE-7941.
>
> The risk of bringing GEODE-7941 is very low (Shiro 1.5.2 has no API
changes or other breaking changes relative to 1.4.1; Shiro rolled its minor
version only to make JDK 8 the minimum). GEODE-7941 has passed all tests on
develop.
>
> I am happy to go either way here, so putting it to a vote. Does 'making
Geode 1.12 look better to automated vulnerability scans' qualify as a ‘critical
fix’? A big red flag doesn’t make a good first impression…also it’s not easy
for a user to discover for themselves that Geode is not actually vulnerable.
Bringing this fix to support/1.12 might bolster users’ confidence in the Geode
community and our new support-branch model.
>
> -Owen
