+1 -----Original Message----- From: Ju@N <jujora...@gmail.com> Sent: Tuesday, June 30, 2020 9:12 AM To: dev@geode.apache.org Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1 On Tue, 30 Jun 2020 at 17:03, Owen Nichols <onich...@vmware.com> wrote: > Recently shiro-1.5.2.jar is getting flagged for critical security > vulnerability CVE-2020-11989. > > Analysis shows that Geode does not use Shiro in a manner that would > expose this vulnerability. > > The risk of bringing GEODE-8315 is very low (difference between Shiro > 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2 > days and passed the pipeline. > > This fix is critical to avoid false positives in automated > vulnerability scans, so it would be nice to bring before 1.13.0 release. > -- Ju@N