+1 to backport to support/1.12
On 4/6/20, 8:55 AM, "Owen Nichols" <[email protected]> wrote:
Recently some Geode users have expressed concern that shiro-1.4.1.jar is
getting flagged for critical security vulnerability CVE-2020-1957.
Analysis shows that Geode does not use Shiro in a manner that would expose
this vulnerability, so maybe there is no need to backport GEODE-7941.
The risk of bringing GEODE-7941 is very low (Shiro 1.5.2 has no API changes
or other breaking changes relative to 1.4.1; Shiro rolled its minor version
only to make JDK 8 the minimum). GEODE-7941 has passed all tests on develop.
I am happy to go either way here, so putting it to a vote. Does 'making
Geode 1.12 look better to automated vulnerability scans' qualify as a ‘critical
fix’? A big red flag doesn’t make a good first impression…also it’s not easy
for a user to discover for themselves that Geode is not actually vulnerable.
Bringing this fix to support/1.12 might bolster users’ confidence in the Geode
community and our new support-branch model.
-Owen
