Looks like more than enough approvals, Owen. Please port, as you proposed. Thanks, Dave
On Tue, Sep 1, 2020 at 7:45 AM Alexander Murmann <amurm...@apache.org> wrote: > +1 > > On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sab...@vmware.com> wrote: > > > +1 > > ________________________________ > > From: Ju@N <jujora...@gmail.com> > > Sent: Tuesday, September 1, 2020 4:10 AM > > To: dev@geode.apache.org <dev@geode.apache.org> > > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support > > branches > > > > +1 > > > > On Tue, 1 Sep 2020 at 01:11, Donal Evans <doev...@vmware.com> wrote: > > > > > +1 > > > > > > We still have outstanding release blockers for 1.13, so getting this > fix > > > in now just prevents extra work in the future without slowing us down > > now. > > > ________________________________ > > > From: Owen Nichols <onich...@vmware.com> > > > Sent: Monday, August 31, 2020 4:19 PM > > > To: dev@geode.apache.org <dev@geode.apache.org> > > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support > branches > > > > > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security > > > vulnerability CVE-2020-13933. > > > > > > Analysis shows that Geode does not use Shiro in a manner that would > > expose > > > this vulnerability. > > > > > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 > > and > > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on > > develop > > > for 6 days and passed all tests. > > > > > > This fix is critical to avoid false positives in automated > vulnerability > > > scans. It would be nice to bring to support branches before 1.13.0 is > > > released. > > > > > > Please vote “+1” to approve including this in 1.13.0. If there are any > > -1 > > > votes, I’ll wait until after 1.13.0 is done to propose this again. > > > > > > > > > -- > > Ju@N > > >
