Done, thanks!
On 9/1/20, 10:22 AM, "Dave Barnes" <dbar...@apache.org> wrote:
Looks like more than enough approvals, Owen. Please port, as you proposed.
Thanks,
Dave
On Tue, Sep 1, 2020 at 7:45 AM Alexander Murmann <amurm...@apache.org>
wrote:
> +1
>
> On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sab...@vmware.com> wrote:
>
> > +1
> > ________________________________
> > From: Ju@N <jujora...@gmail.com>
> > Sent: Tuesday, September 1, 2020 4:10 AM
> > To: dev@geode.apache.org <dev@geode.apache.org>
> > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support
> > branches
> >
> > +1
> >
> > On Tue, 1 Sep 2020 at 01:11, Donal Evans <doev...@vmware.com> wrote:
> >
> > > +1
> > >
> > > We still have outstanding release blockers for 1.13, so getting this
> fix
> > > in now just prevents extra work in the future without slowing us down
> > now.
> > > ________________________________
> > > From: Owen Nichols <onich...@vmware.com>
> > > Sent: Monday, August 31, 2020 4:19 PM
> > > To: dev@geode.apache.org <dev@geode.apache.org>
> > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support
> branches
> > >
> > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> > > vulnerability CVE-2020-13933.
> > >
> > > Analysis shows that Geode does not use Shiro in a manner that would
> > expose
> > > this vulnerability.
> > >
> > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3
> > and
> > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on
> > develop
> > > for 6 days and passed all tests.
> > >
> > > This fix is critical to avoid false positives in automated
> vulnerability
> > > scans. It would be nice to bring to support branches before 1.13.0 is
> > > released.
> > >
> > > Please vote “+1” to approve including this in 1.13.0. If there are
any
> > -1
> > > votes, I’ll wait until after 1.13.0 is done to propose this again.
> > >
> >
> >
> > --
> > Ju@N
> >
>
