You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by Owen Nichols <on...@vmware.com> on 2020/06/30 16:03:37 UTC
Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Recently shiro-1.5.2.jar is getting flagged for critical security vulnerability CVE-2020-11989.
Analysis shows that Geode does not use Shiro in a manner that would expose this vulnerability.
The risk of bringing GEODE-8315 is very low (difference between Shiro 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2 days and passed the pipeline.
This fix is critical to avoid false positives in automated vulnerability scans, so it would be nice to bring before 1.13.0 release.
Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Posted by Dave Barnes <db...@apache.org>.
Thanks for taking care of that, Owen.
On Tue, Jun 30, 2020 at 9:38 AM Owen Nichols <on...@vmware.com> wrote:
> Backported to support/1.13 and support/1.12
>
> On 6/30/20, 9:37 AM, "Robert Houghton" <rh...@vmware.com> wrote:
>
> +1
>
> From: Dick Cavender <di...@vmware.com>
> Date: Tuesday, June 30, 2020 at 9:14 AM
> To: dev@geode.apache.org <de...@geode.apache.org>
> Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support
> branches
> +1
>
> -----Original Message-----
> From: Ju@N <ju...@gmail.com>
> Sent: Tuesday, June 30, 2020 9:12 AM
> To: dev@geode.apache.org
> Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support
> branches
>
> +1
>
> On Tue, 30 Jun 2020 at 17:03, Owen Nichols <on...@vmware.com>
> wrote:
>
> > Recently shiro-1.5.2.jar is getting flagged for critical security
> > vulnerability CVE-2020-11989.
> >
> > Analysis shows that Geode does not use Shiro in a manner that would
> > expose this vulnerability.
> >
> > The risk of bringing GEODE-8315 is very low (difference between Shiro
> > 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for
> 2
> > days and passed the pipeline.
> >
> > This fix is critical to avoid false positives in automated
> > vulnerability scans, so it would be nice to bring before 1.13.0
> release.
> >
>
>
> --
> Ju@N
>
>
Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Posted by Owen Nichols <on...@vmware.com>.
Backported to support/1.13 and support/1.12
On 6/30/20, 9:37 AM, "Robert Houghton" <rh...@vmware.com> wrote:
+1
From: Dick Cavender <di...@vmware.com>
Date: Tuesday, June 30, 2020 at 9:14 AM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1
-----Original Message-----
From: Ju@N <ju...@gmail.com>
Sent: Tuesday, June 30, 2020 9:12 AM
To: dev@geode.apache.org
Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1
On Tue, 30 Jun 2020 at 17:03, Owen Nichols <on...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security
> vulnerability CVE-2020-11989.
>
> Analysis shows that Geode does not use Shiro in a manner that would
> expose this vulnerability.
>
> The risk of bringing GEODE-8315 is very low (difference between Shiro
> 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2
> days and passed the pipeline.
>
> This fix is critical to avoid false positives in automated
> vulnerability scans, so it would be nice to bring before 1.13.0 release.
>
--
Ju@N
Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Posted by Robert Houghton <rh...@vmware.com>.
+1
From: Dick Cavender <di...@vmware.com>
Date: Tuesday, June 30, 2020 at 9:14 AM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: RE: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1
-----Original Message-----
From: Ju@N <ju...@gmail.com>
Sent: Tuesday, June 30, 2020 9:12 AM
To: dev@geode.apache.org
Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1
On Tue, 30 Jun 2020 at 17:03, Owen Nichols <on...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security
> vulnerability CVE-2020-11989.
>
> Analysis shows that Geode does not use Shiro in a manner that would
> expose this vulnerability.
>
> The risk of bringing GEODE-8315 is very low (difference between Shiro
> 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2
> days and passed the pipeline.
>
> This fix is critical to avoid false positives in automated
> vulnerability scans, so it would be nice to bring before 1.13.0 release.
>
--
Ju@N
RE: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Posted by Dick Cavender <di...@vmware.com>.
+1
-----Original Message-----
From: Ju@N <ju...@gmail.com>
Sent: Tuesday, June 30, 2020 9:12 AM
To: dev@geode.apache.org
Subject: Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
+1
On Tue, 30 Jun 2020 at 17:03, Owen Nichols <on...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security
> vulnerability CVE-2020-11989.
>
> Analysis shows that Geode does not use Shiro in a manner that would
> expose this vulnerability.
>
> The risk of bringing GEODE-8315 is very low (difference between Shiro
> 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2
> days and passed the pipeline.
>
> This fix is critical to avoid false positives in automated
> vulnerability scans, so it would be nice to bring before 1.13.0 release.
>
--
Ju@N
Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches
Posted by "Ju@N" <ju...@gmail.com>.
+1
On Tue, 30 Jun 2020 at 17:03, Owen Nichols <on...@vmware.com> wrote:
> Recently shiro-1.5.2.jar is getting flagged for critical security
> vulnerability CVE-2020-11989.
>
> Analysis shows that Geode does not use Shiro in a manner that would expose
> this vulnerability.
>
> The risk of bringing GEODE-8315 is very low (difference between Shiro
> 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2 days
> and passed the pipeline.
>
> This fix is critical to avoid false positives in automated vulnerability
> scans, so it would be nice to bring before 1.13.0 release.
>
--
Ju@N