+1 On Tue, 30 Jun 2020 at 17:03, Owen Nichols <onich...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security > vulnerability CVE-2020-11989. > > Analysis shows that Geode does not use Shiro in a manner that would expose > this vulnerability. > > The risk of bringing GEODE-8315 is very low (difference between Shiro > 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2 days > and passed the pipeline. > > This fix is critical to avoid false positives in automated vulnerability > scans, so it would be nice to bring before 1.13.0 release. > -- Ju@N
