+1 We still have outstanding release blockers for 1.13, so getting this fix in now just prevents extra work in the future without slowing us down now. ________________________________ From: Owen Nichols <onich...@vmware.com> Sent: Monday, August 31, 2020 4:19 PM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Recently shiro-1.5.3.jar is getting flagged for ‘high’ security vulnerability CVE-2020-13933. Analysis shows that Geode does not use Shiro in a manner that would expose this vulnerability. The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 and 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on develop for 6 days and passed all tests. This fix is critical to avoid false positives in automated vulnerability scans. It would be nice to bring to support branches before 1.13.0 is released. Please vote “+1” to approve including this in 1.13.0. If there are any -1 votes, I’ll wait until after 1.13.0 is done to propose this again.
