+1 On Wed, Apr 8, 2020 at 10:08 AM Joris Melchior <jmelch...@pivotal.io> wrote:
> +1 > > On Wed, Apr 8, 2020 at 12:21 PM Owen Nichols <onich...@pivotal.io> wrote: > > > Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting > > flagged for “high" security vulnerability CVE-2019-20444 and > CVE-2019-20445. > > > > Analysis shows that Geode does not use Netty in a manner that would > expose > > this vulnerability. > > > > The risk of bringing GEODE-7969 is very low. Netty is only imported for > > some I/O libraries in geode-redis, not used as a server. GEODE-7969 has > > passed all PR checks on support/1.12, and the same version bump to > > 4.1.45.Final has been on develop since February via GEODE-7798. > > > > This fix is critical to avoid false positives in automated vulnerability > > scans. > > > > -Owen > > > > -- > *Joris Melchior * > CF Engineering > Pivotal Toronto > 416 877 5427 > > “Programs must be written for people to read, and only incidentally for > machines to execute.” – *Hal Abelson* > <https://en.wikipedia.org/wiki/Hal_Abelson> >
