+1 On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sab...@vmware.com> wrote:
> +1 > ________________________________ > From: Ju@N <jujora...@gmail.com> > Sent: Tuesday, September 1, 2020 4:10 AM > To: dev@geode.apache.org <dev@geode.apache.org> > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support > branches > > +1 > > On Tue, 1 Sep 2020 at 01:11, Donal Evans <doev...@vmware.com> wrote: > > > +1 > > > > We still have outstanding release blockers for 1.13, so getting this fix > > in now just prevents extra work in the future without slowing us down > now. > > ________________________________ > > From: Owen Nichols <onich...@vmware.com> > > Sent: Monday, August 31, 2020 4:19 PM > > To: dev@geode.apache.org <dev@geode.apache.org> > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches > > > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security > > vulnerability CVE-2020-13933. > > > > Analysis shows that Geode does not use Shiro in a manner that would > expose > > this vulnerability. > > > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 > and > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on > develop > > for 6 days and passed all tests. > > > > This fix is critical to avoid false positives in automated vulnerability > > scans. It would be nice to bring to support branches before 1.13.0 is > > released. > > > > Please vote “+1” to approve including this in 1.13.0. If there are any > -1 > > votes, I’ll wait until after 1.13.0 is done to propose this again. > > > > > -- > Ju@N >
