Re: Proposal to bring GEODE-7969 to support/1.12

There appears to be consensus to bring this critical fix to support/1.12 https://github.com/apache/geode/pull/4926 has been merged to support/1.12 and Jira updated with correct fix versions. > On Apr 8, 2020, at 1:41 PM, Dick Cavender wrote: > > +1

Re: Proposal to bring GEODE-7969 to support/1.12

+1 On Wed, Apr 8, 2020 at 10:08 AM Joris Melchior wrote: > +1 > > On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols wrote: > > > Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > > flagged for “high" security vulnerability CVE-2019-20444 and > CVE-2019-20445. > > > > Analysis s

Re: Proposal to bring GEODE-7969 to support/1.12

+1 On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols wrote: > Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445. > > Analysis shows that Geode does not use Netty in a manner that would expose > this vuln

Re: Proposal to bring GEODE-7969 to support/1.12

+1 On Wed, 8 Apr 2020 at 17:21, Owen Nichols wrote: > Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445. > > Analysis shows that Geode does not use Netty in a manner that would expose > this vulnera

Proposal to bring GEODE-7969 to support/1.12

Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445. Analysis shows that Geode does not use Netty in a manner that would expose this vulnerability. The risk of bringing GEODE-7969 is very low. Netty i