Backported to support/1.13 and support/1.12
On 6/30/20, 9:37 AM, "Robert Houghton" <rhough...@vmware.com> wrote:
+1
From: Dick Cavender <di...@vmware.com>
Date: Tuesday, June 30, 2020 at 9:14 AM
To: dev@geode.apache.org <dev@geode.apache.org>
Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support
branches
+1
-----Original Message-----
From: Ju@N <jujora...@gmail.com>
Sent: Tuesday, June 30, 2020 9:12 AM
To: dev@geode.apache.org
Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support
branches
+1
On Tue, 30 Jun 2020 at 17:03, Owen Nichols <onich...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security
> vulnerability CVE-2020-11989.
>
> Analysis shows that Geode does not use Shiro in a manner that would
> expose this vulnerability.
>
> The risk of bringing GEODE-8315 is very low (difference between Shiro
> 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2
> days and passed the pipeline.
>
> This fix is critical to avoid false positives in automated
> vulnerability scans, so it would be nice to bring before 1.13.0 release.
>
--
Ju@N
