There appears to be consensus to bring this critical fix to support/1.12 https://github.com/apache/geode/pull/4926 <https://github.com/apache/geode/pull/4926> has been merged to support/1.12 and Jira updated with correct fix versions.
> On Apr 8, 2020, at 1:41 PM, Dick Cavender <dcaven...@pivotal.io> wrote: > > +1 > > On Wed, Apr 8, 2020 at 10:08 AM Joris Melchior <jmelch...@pivotal.io> wrote: > >> +1 >> >> On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols <onich...@pivotal.io> wrote: >> >>> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting >>> flagged for “high" security vulnerability CVE-2019-20444 and >> CVE-2019-20445. >>> >>> Analysis shows that Geode does not use Netty in a manner that would >> expose >>> this vulnerability. >>> >>> The risk of bringing GEODE-7969 is very low. Netty is only imported for >>> some I/O libraries in geode-redis, not used as a server. GEODE-7969 has >>> passed all PR checks on support/1.12, and the same version bump to >>> 4.1.45.Final has been on develop since February via GEODE-7798. >>> >>> This fix is critical to avoid false positives in automated vulnerability >>> scans. >>> >>> -Owen >> >> >> >> -- >> *Joris Melchior * >> CF Engineering >> Pivotal Toronto >> 416 877 5427 >> >> “Programs must be written for people to read, and only incidentally for >> machines to execute.” – *Hal Abelson* >> <https://en.wikipedia.org/wiki/Hal_Abelson> >>
