+1 -Dan
On Fri, Apr 10, 2020 at 12:37 PM Anilkumar Gingade <aging...@pivotal.io> wrote: > +1 > Based on: The risk is low. Avoids false positives in automated > vulnerability scans. > > On Fri, Apr 10, 2020 at 12:33 PM Dick Cavender <dcaven...@pivotal.io> > wrote: > > > +1 > > > > On Fri, Apr 10, 2020 at 11:16 AM Owen Nichols <onich...@pivotal.io> > wrote: > > > > > Recently it’s been noticed that spring-core-5.2.1.RELEASE.jar is > getting > > > flagged for “high" security vulnerability CVE-2020-5398. > > > > > > Analysis shows that Geode does not use Spring in a manner that would > > > expose this vulnerability (none of our REST apis or pulse set a > > > Content-Disposition header derived from user-supplied input). > > > > > > The risk of bringing GEODE-7970 is low. This patch update from 5.2.1 > to > > > 5.2.5 brings bug fixes only. This exact version was on develop from > Apr > > 8 > > > - Apr 10 & passed all tests. > > > > > > This fix is critical to avoid false positives in automated > vulnerability > > > scans. > > > > > > -Owen > > >
