Thanks for taking care of that, Owen. On Tue, Jun 30, 2020 at 9:38 AM Owen Nichols <[email protected]> wrote:
> Backported to support/1.13 and support/1.12 > > On 6/30/20, 9:37 AM, "Robert Houghton" <[email protected]> wrote: > > +1 > > From: Dick Cavender <[email protected]> > Date: Tuesday, June 30, 2020 at 9:14 AM > To: [email protected] <[email protected]> > Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support > branches > +1 > > -----Original Message----- > From: Ju@N <[email protected]> > Sent: Tuesday, June 30, 2020 9:12 AM > To: [email protected] > Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support > branches > > +1 > > On Tue, 30 Jun 2020 at 17:03, Owen Nichols <[email protected]> > wrote: > > > Recently shiro-1.5.2.jar is getting flagged for critical security > > vulnerability CVE-2020-11989. > > > > Analysis shows that Geode does not use Shiro in a manner that would > > expose this vulnerability. > > > > The risk of bringing GEODE-8315 is very low (difference between Shiro > > 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for > 2 > > days and passed the pipeline. > > > > This fix is critical to avoid false positives in automated > > vulnerability scans, so it would be nice to bring before 1.13.0 > release. > > > > > -- > Ju@N > >
