Re: Proposal to bring GEODE-7969 to support/1.12

2020-04-08 Thread Owen Nichols 
There appears to be consensus to bring this critical fix to support/1.12

https://github.com/apache/geode/pull/4926 
 has been merged to support/1.12 and 
Jira updated with correct fix versions.


> On Apr 8, 2020, at 1:41 PM, Dick Cavender  wrote:
> 
> +1
> 
> On Wed, Apr 8, 2020 at 10:08 AM Joris Melchior  wrote:
> 
>> +1
>> 
>> On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols  wrote:
>> 
>>> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting
>>> flagged for “high" security vulnerability CVE-2019-20444 and
>> CVE-2019-20445.
>>> 
>>> Analysis shows that Geode does not use Netty in a manner that would
>> expose
>>> this vulnerability.
>>> 
>>> The risk of bringing GEODE-7969 is very low.  Netty is only imported for
>>> some I/O libraries in geode-redis, not used as a server.  GEODE-7969 has
>>> passed all PR checks on support/1.12, and the same version bump to
>>> 4.1.45.Final has been on develop since February via GEODE-7798.
>>> 
>>> This fix is critical to avoid false positives in automated vulnerability
>>> scans.
>>> 
>>> -Owen
>> 
>> 
>> 
>> --
>> *Joris Melchior *
>> CF Engineering
>> Pivotal Toronto
>> 416 877 5427
>> 
>> “Programs must be written for people to read, and only incidentally for
>> machines to execute.” – *Hal Abelson*
>> 
>>

Re: Proposal to bring GEODE-7969 to support/1.12

2020-04-08 Thread Dick Cavender 
+1

On Wed, Apr 8, 2020 at 10:08 AM Joris Melchior  wrote:

> +1
>
> On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols  wrote:
>
> > Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting
> > flagged for “high" security vulnerability CVE-2019-20444 and
> CVE-2019-20445.
> >
> > Analysis shows that Geode does not use Netty in a manner that would
> expose
> > this vulnerability.
> >
> > The risk of bringing GEODE-7969 is very low.  Netty is only imported for
> > some I/O libraries in geode-redis, not used as a server.  GEODE-7969 has
> > passed all PR checks on support/1.12, and the same version bump to
> > 4.1.45.Final has been on develop since February via GEODE-7798.
> >
> > This fix is critical to avoid false positives in automated vulnerability
> > scans.
> >
> > -Owen
>
>
>
> --
> *Joris Melchior *
> CF Engineering
> Pivotal Toronto
> 416 877 5427
>
> “Programs must be written for people to read, and only incidentally for
> machines to execute.” – *Hal Abelson*
> 
>

Re: Proposal to bring GEODE-7969 to support/1.12

2020-04-08 Thread Joris Melchior 
+1

On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols  wrote:

> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting
> flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445.
>
> Analysis shows that Geode does not use Netty in a manner that would expose
> this vulnerability.
>
> The risk of bringing GEODE-7969 is very low.  Netty is only imported for
> some I/O libraries in geode-redis, not used as a server.  GEODE-7969 has
> passed all PR checks on support/1.12, and the same version bump to
> 4.1.45.Final has been on develop since February via GEODE-7798.
>
> This fix is critical to avoid false positives in automated vulnerability
> scans.
>
> -Owen



-- 
*Joris Melchior *
CF Engineering
Pivotal Toronto
416 877 5427

“Programs must be written for people to read, and only incidentally for
machines to execute.” – *Hal Abelson*

Re: Proposal to bring GEODE-7969 to support/1.12

2020-04-08 Thread Ju@N 
+1

On Wed, 8 Apr 2020 at 17:21, Owen Nichols  wrote:

> Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting
> flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445.
>
> Analysis shows that Geode does not use Netty in a manner that would expose
> this vulnerability.
>
> The risk of bringing GEODE-7969 is very low.  Netty is only imported for
> some I/O libraries in geode-redis, not used as a server.  GEODE-7969 has
> passed all PR checks on support/1.12, and the same version bump to
> 4.1.45.Final has been on develop since February via GEODE-7798.
>
> This fix is critical to avoid false positives in automated vulnerability
> scans.
>
> -Owen



-- 
Ju@N

Proposal to bring GEODE-7969 to support/1.12

2020-04-08 Thread Owen Nichols 
Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting flagged 
for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445.

Analysis shows that Geode does not use Netty in a manner that would expose this 
vulnerability.

The risk of bringing GEODE-7969 is very low.  Netty is only imported for some 
I/O libraries in geode-redis, not used as a server.  GEODE-7969 has passed all 
PR checks on support/1.12, and the same version bump to 4.1.45.Final has been 
on develop since February via GEODE-7798.

This fix is critical to avoid false positives in automated vulnerability scans.

-Owen