+1 On Wed, 8 Apr 2020 at 17:21, Owen Nichols <onich...@pivotal.io> wrote:
> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445. > > Analysis shows that Geode does not use Netty in a manner that would expose > this vulnerability. > > The risk of bringing GEODE-7969 is very low. Netty is only imported for > some I/O libraries in geode-redis, not used as a server. GEODE-7969 has > passed all PR checks on support/1.12, and the same version bump to > 4.1.45.Final has been on develop since February via GEODE-7798. > > This fix is critical to avoid false positives in automated vulnerability > scans. > > -Owen -- Ju@N
