+1 On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <[email protected]> wrote:
> +1 > ________________________________ > From: Ju@N <[email protected]> > Sent: Tuesday, September 1, 2020 4:10 AM > To: [email protected] <[email protected]> > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support > branches > > +1 > > On Tue, 1 Sep 2020 at 01:11, Donal Evans <[email protected]> wrote: > > > +1 > > > > We still have outstanding release blockers for 1.13, so getting this fix > > in now just prevents extra work in the future without slowing us down > now. > > ________________________________ > > From: Owen Nichols <[email protected]> > > Sent: Monday, August 31, 2020 4:19 PM > > To: [email protected] <[email protected]> > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches > > > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security > > vulnerability CVE-2020-13933. > > > > Analysis shows that Geode does not use Shiro in a manner that would > expose > > this vulnerability. > > > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 > and > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on > develop > > for 6 days and passed all tests. > > > > This fix is critical to avoid false positives in automated vulnerability > > scans. It would be nice to bring to support branches before 1.13.0 is > > released. > > > > Please vote “+1” to approve including this in 1.13.0. If there are any > -1 > > votes, I’ll wait until after 1.13.0 is done to propose this again. > > > > > -- > Ju@N >
