+1 ________________________________ From: Ju@N <jujora...@gmail.com> Sent: Tuesday, September 1, 2020 4:10 AM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
+1 On Tue, 1 Sep 2020 at 01:11, Donal Evans <doev...@vmware.com> wrote: > +1 > > We still have outstanding release blockers for 1.13, so getting this fix > in now just prevents extra work in the future without slowing us down now. > ________________________________ > From: Owen Nichols <onich...@vmware.com> > Sent: Monday, August 31, 2020 4:19 PM > To: dev@geode.apache.org <dev@geode.apache.org> > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security > vulnerability CVE-2020-13933. > > Analysis shows that Geode does not use Shiro in a manner that would expose > this vulnerability. > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 and > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on develop > for 6 days and passed all tests. > > This fix is critical to avoid false positives in automated vulnerability > scans. It would be nice to bring to support branches before 1.13.0 is > released. > > Please vote “+1” to approve including this in 1.13.0. If there are any -1 > votes, I’ll wait until after 1.13.0 is done to propose this again. > -- Ju@N
