+1 On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols <onich...@pivotal.io> wrote:
> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445. > > Analysis shows that Geode does not use Netty in a manner that would expose > this vulnerability. > > The risk of bringing GEODE-7969 is very low. Netty is only imported for > some I/O libraries in geode-redis, not used as a server. GEODE-7969 has > passed all PR checks on support/1.12, and the same version bump to > 4.1.45.Final has been on develop since February via GEODE-7798. > > This fix is critical to avoid false positives in automated vulnerability > scans. > > -Owen -- *Joris Melchior * CF Engineering Pivotal Toronto 416 877 5427 “Programs must be written for people to read, and only incidentally for machines to execute.” – *Hal Abelson* <https://en.wikipedia.org/wiki/Hal_Abelson>
