Thanks for taking care of that, Owen. On Tue, Jun 30, 2020 at 9:38 AM Owen Nichols <onich...@vmware.com> wrote:
> Backported to support/1.13 and support/1.12 > > On 6/30/20, 9:37 AM, "Robert Houghton" <rhough...@vmware.com> wrote: > > +1 > > From: Dick Cavender <di...@vmware.com> > Date: Tuesday, June 30, 2020 at 9:14 AM > To: dev@geode.apache.org <dev@geode.apache.org> > Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support > branches > +1 > > -----Original Message----- > From: Ju@N <jujora...@gmail.com> > Sent: Tuesday, June 30, 2020 9:12 AM > To: dev@geode.apache.org > Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support > branches > > +1 > > On Tue, 30 Jun 2020 at 17:03, Owen Nichols <onich...@vmware.com> > wrote: > > > Recently shiro-1.5.2.jar is getting flagged for critical security > > vulnerability CVE-2020-11989. > > > > Analysis shows that Geode does not use Shiro in a manner that would > > expose this vulnerability. > > > > The risk of bringing GEODE-8315 is very low (difference between Shiro > > 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for > 2 > > days and passed the pipeline. > > > > This fix is critical to avoid false positives in automated > > vulnerability scans, so it would be nice to bring before 1.13.0 > release. > > > > > -- > Ju@N > >