There appears to be consensus to bring this critical fix to support/1.12. I have done git cherry-pick -x ead319cc04e284838275669c2d502e1a8c5ad822 and updated GEODE-7970 to add 1.12.1 to the list of fixed versions.
Thanks -Owen > On Apr 10, 2020, at 1:24 PM, Dan Smith <dsm...@pivotal.io> wrote: > > +1 > > -Dan > > On Fri, Apr 10, 2020 at 12:37 PM Anilkumar Gingade <aging...@pivotal.io> > wrote: > >> +1 >> Based on: The risk is low. Avoids false positives in automated >> vulnerability scans. >> >> On Fri, Apr 10, 2020 at 12:33 PM Dick Cavender <dcaven...@pivotal.io> >> wrote: >> >>> +1 >>> >>> On Fri, Apr 10, 2020 at 11:16 AM Owen Nichols <onich...@pivotal.io> >> wrote: >>> >>>> Recently it’s been noticed that spring-core-5.2.1.RELEASE.jar is >> getting >>>> flagged for “high" security vulnerability CVE-2020-5398. >>>> >>>> Analysis shows that Geode does not use Spring in a manner that would >>>> expose this vulnerability (none of our REST apis or pulse set a >>>> Content-Disposition header derived from user-supplied input). >>>> >>>> The risk of bringing GEODE-7970 is low. This patch update from 5.2.1 >> to >>>> 5.2.5 brings bug fixes only. This exact version was on develop from >> Apr >>> 8 >>>> - Apr 10 & passed all tests. >>>> >>>> This fix is critical to avoid false positives in automated >> vulnerability >>>> scans. >>>> >>>> -Owen >>> >>
