You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by Owen Nichols <on...@pivotal.io> on 2020/05/21 15:51:33 UTC
Proposal to backport GEODE-8167
Some automated scans have flagged Geode Pulse as potentially containing “high" security vulnerability CVE-2020-5407.
Analysis shows that this saml vulnerability is not applicable to Geode Pulse.
It is low risk to bump the spring-security dependency to the latest version to avoid false positives in automated scans. This change is already on develop and all tests have passed. It would be nice to include this in 1.13.
-Owen
Re: Proposal to backport GEODE-8167
Posted by Udo Kohlmeyer <ud...@vmware.com>.
+1
On May 21, 2020, 8:51 AM -0700, Owen Nichols <on...@pivotal.io>, wrote:
Some automated scans have flagged Geode Pulse as potentially containing “high" security vulnerability CVE-2020-5407.
Analysis shows that this saml vulnerability is not applicable to Geode Pulse.
It is low risk to bump the spring-security dependency to the latest version to avoid false positives in automated scans. This change is already on develop and all tests have passed. It would be nice to include this in 1.13.
-Owen
Re: Proposal to backport GEODE-8167
Posted by Owen Nichols <on...@pivotal.io>.
Done!
> On May 21, 2020, at 9:50 AM, Dave Barnes <db...@apache.org> wrote:
>
> Please add this change to support/1.13, Owen.
> Thanks,
> Dave
>
> On 2020/05/21 16:19:49, Dick Cavender <dc...@pivotal.io> wrote:
>> +1
>>
>> On Thu, May 21, 2020 at 8:57 AM Ju@N <ju...@gmail.com> wrote:
>>
>>> +1
>>>
>>> On Thu, 21 May 2020 at 16:53, Anthony Baker <ba...@vmware.com> wrote:
>>>
>>>> +1
>>>>
>>>>> On May 21, 2020, at 8:51 AM, Owen Nichols <on...@pivotal.io> wrote:
>>>>>
>>>>> Some automated scans have flagged Geode Pulse as potentially containing
>>>> “high" security vulnerability CVE-2020-5407.
>>>>>
>>>>> Analysis shows that this saml vulnerability is not applicable to Geode
>>>> Pulse.
>>>>>
>>>>> It is low risk to bump the spring-security dependency to the latest
>>>> version to avoid false positives in automated scans. This change is
>>>> already on develop and all tests have passed. It would be nice to
>>> include
>>>> this in 1.13.
>>>>>
>>>>> -Owen
>>>>
>>>>
>>>
>>> --
>>> Ju@N
>>>
>>
Re: Proposal to backport GEODE-8167
Posted by Dave Barnes <db...@apache.org>.
Please add this change to support/1.13, Owen.
Thanks,
Dave
On 2020/05/21 16:19:49, Dick Cavender <dc...@pivotal.io> wrote:
> +1
>
> On Thu, May 21, 2020 at 8:57 AM Ju@N <ju...@gmail.com> wrote:
>
> > +1
> >
> > On Thu, 21 May 2020 at 16:53, Anthony Baker <ba...@vmware.com> wrote:
> >
> > > +1
> > >
> > > > On May 21, 2020, at 8:51 AM, Owen Nichols <on...@pivotal.io> wrote:
> > > >
> > > > Some automated scans have flagged Geode Pulse as potentially containing
> > > “high" security vulnerability CVE-2020-5407.
> > > >
> > > > Analysis shows that this saml vulnerability is not applicable to Geode
> > > Pulse.
> > > >
> > > > It is low risk to bump the spring-security dependency to the latest
> > > version to avoid false positives in automated scans. This change is
> > > already on develop and all tests have passed. It would be nice to
> > include
> > > this in 1.13.
> > > >
> > > > -Owen
> > >
> > >
> >
> > --
> > Ju@N
> >
>
Re: Proposal to backport GEODE-8167
Posted by Dick Cavender <dc...@pivotal.io>.
+1
On Thu, May 21, 2020 at 8:57 AM Ju@N <ju...@gmail.com> wrote:
> +1
>
> On Thu, 21 May 2020 at 16:53, Anthony Baker <ba...@vmware.com> wrote:
>
> > +1
> >
> > > On May 21, 2020, at 8:51 AM, Owen Nichols <on...@pivotal.io> wrote:
> > >
> > > Some automated scans have flagged Geode Pulse as potentially containing
> > “high" security vulnerability CVE-2020-5407.
> > >
> > > Analysis shows that this saml vulnerability is not applicable to Geode
> > Pulse.
> > >
> > > It is low risk to bump the spring-security dependency to the latest
> > version to avoid false positives in automated scans. This change is
> > already on develop and all tests have passed. It would be nice to
> include
> > this in 1.13.
> > >
> > > -Owen
> >
> >
>
> --
> Ju@N
>
Re: Proposal to backport GEODE-8167
Posted by "Ju@N" <ju...@gmail.com>.
+1
On Thu, 21 May 2020 at 16:53, Anthony Baker <ba...@vmware.com> wrote:
> +1
>
> > On May 21, 2020, at 8:51 AM, Owen Nichols <on...@pivotal.io> wrote:
> >
> > Some automated scans have flagged Geode Pulse as potentially containing
> “high" security vulnerability CVE-2020-5407.
> >
> > Analysis shows that this saml vulnerability is not applicable to Geode
> Pulse.
> >
> > It is low risk to bump the spring-security dependency to the latest
> version to avoid false positives in automated scans. This change is
> already on develop and all tests have passed. It would be nice to include
> this in 1.13.
> >
> > -Owen
>
>
--
Ju@N
Re: Proposal to backport GEODE-8167
Posted by Anthony Baker <ba...@vmware.com>.
+1
> On May 21, 2020, at 8:51 AM, Owen Nichols <on...@pivotal.io> wrote:
>
> Some automated scans have flagged Geode Pulse as potentially containing “high" security vulnerability CVE-2020-5407.
>
> Analysis shows that this saml vulnerability is not applicable to Geode Pulse.
>
> It is low risk to bump the spring-security dependency to the latest version to avoid false positives in automated scans. This change is already on develop and all tests have passed. It would be nice to include this in 1.13.
>
> -Owen