Severity: low
Description:
Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file
redaction of sensitive information flaw when using values that begin with
characters other than letters or numbers for passwords and security
properties with the prefix "sysprop-", "javax.net.ssl
Hi All.
Just a heads up that I have a PR up (https://github.com/apache/geode/pull/7232)
which, if merged, will slightly change the log output from DUnit runs. The PR
simply adds a 4 character unique ID to the log line. As in:
[vm0-51ec] [info 2021/12/24 15:43:54.367 UTC ; tid=0x1d] Reinitializ
Looking at KnownVersion.java - we did make protocol changes in 1.12.1 and
1.13.2. So, my suggestion would be to keep 1.12.0 and 1.13.1, but dop all the
other patch versions that aren't the latest.
-Dan
From: Dan Smith
Sent: Monday, January 3, 2022 10:37 AM
To: d
+1 - this seems reasonable to me. If we do make a protocol change in a patch,
we could potentially keep around an older patch version just in that specific
case, but otherwise I think this makes sense.
-Dan
From: Anthony Baker
Sent: Thursday, December 23, 2021 8
