You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by Donal Evans <do...@vmware.com> on 2020/09/01 00:11:14 UTC
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
+1
We still have outstanding release blockers for 1.13, so getting this fix in now just prevents extra work in the future without slowing us down now.
________________________________
From: Owen Nichols <on...@vmware.com>
Sent: Monday, August 31, 2020 4:19 PM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Recently shiro-1.5.3.jar is getting flagged for ‘high’ security vulnerability CVE-2020-13933.
Analysis shows that Geode does not use Shiro in a manner that would expose this vulnerability.
The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 and 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on develop for 6 days and passed all tests.
This fix is critical to avoid false positives in automated vulnerability scans. It would be nice to bring to support branches before 1.13.0 is released.
Please vote “+1” to approve including this in 1.13.0. If there are any -1 votes, I’ll wait until after 1.13.0 is done to propose this again.
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Posted by Owen Nichols <on...@vmware.com>.
Done, thanks!
On 9/1/20, 10:22 AM, "Dave Barnes" <db...@apache.org> wrote:
Looks like more than enough approvals, Owen. Please port, as you proposed.
Thanks,
Dave
On Tue, Sep 1, 2020 at 7:45 AM Alexander Murmann <am...@apache.org>
wrote:
> +1
>
> On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sa...@vmware.com> wrote:
>
> > +1
> > ________________________________
> > From: Ju@N <ju...@gmail.com>
> > Sent: Tuesday, September 1, 2020 4:10 AM
> > To: dev@geode.apache.org <de...@geode.apache.org>
> > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support
> > branches
> >
> > +1
> >
> > On Tue, 1 Sep 2020 at 01:11, Donal Evans <do...@vmware.com> wrote:
> >
> > > +1
> > >
> > > We still have outstanding release blockers for 1.13, so getting this
> fix
> > > in now just prevents extra work in the future without slowing us down
> > now.
> > > ________________________________
> > > From: Owen Nichols <on...@vmware.com>
> > > Sent: Monday, August 31, 2020 4:19 PM
> > > To: dev@geode.apache.org <de...@geode.apache.org>
> > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support
> branches
> > >
> > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> > > vulnerability CVE-2020-13933.
> > >
> > > Analysis shows that Geode does not use Shiro in a manner that would
> > expose
> > > this vulnerability.
> > >
> > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3
> > and
> > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on
> > develop
> > > for 6 days and passed all tests.
> > >
> > > This fix is critical to avoid false positives in automated
> vulnerability
> > > scans. It would be nice to bring to support branches before 1.13.0 is
> > > released.
> > >
> > > Please vote “+1” to approve including this in 1.13.0. If there are any
> > -1
> > > votes, I’ll wait until after 1.13.0 is done to propose this again.
> > >
> >
> >
> > --
> > Ju@N
> >
>
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Posted by Dave Barnes <db...@apache.org>.
Looks like more than enough approvals, Owen. Please port, as you proposed.
Thanks,
Dave
On Tue, Sep 1, 2020 at 7:45 AM Alexander Murmann <am...@apache.org>
wrote:
> +1
>
> On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sa...@vmware.com> wrote:
>
> > +1
> > ________________________________
> > From: Ju@N <ju...@gmail.com>
> > Sent: Tuesday, September 1, 2020 4:10 AM
> > To: dev@geode.apache.org <de...@geode.apache.org>
> > Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support
> > branches
> >
> > +1
> >
> > On Tue, 1 Sep 2020 at 01:11, Donal Evans <do...@vmware.com> wrote:
> >
> > > +1
> > >
> > > We still have outstanding release blockers for 1.13, so getting this
> fix
> > > in now just prevents extra work in the future without slowing us down
> > now.
> > > ________________________________
> > > From: Owen Nichols <on...@vmware.com>
> > > Sent: Monday, August 31, 2020 4:19 PM
> > > To: dev@geode.apache.org <de...@geode.apache.org>
> > > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support
> branches
> > >
> > > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> > > vulnerability CVE-2020-13933.
> > >
> > > Analysis shows that Geode does not use Shiro in a manner that would
> > expose
> > > this vulnerability.
> > >
> > > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3
> > and
> > > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on
> > develop
> > > for 6 days and passed all tests.
> > >
> > > This fix is critical to avoid false positives in automated
> vulnerability
> > > scans. It would be nice to bring to support branches before 1.13.0 is
> > > released.
> > >
> > > Please vote “+1” to approve including this in 1.13.0. If there are any
> > -1
> > > votes, I’ll wait until after 1.13.0 is done to propose this again.
> > >
> >
> >
> > --
> > Ju@N
> >
>
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Posted by Alexander Murmann <am...@apache.org>.
+1
On Tue, Sep 1, 2020 at 6:19 AM Sarah Abbey <sa...@vmware.com> wrote:
> +1
> ________________________________
> From: Ju@N <ju...@gmail.com>
> Sent: Tuesday, September 1, 2020 4:10 AM
> To: dev@geode.apache.org <de...@geode.apache.org>
> Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support
> branches
>
> +1
>
> On Tue, 1 Sep 2020 at 01:11, Donal Evans <do...@vmware.com> wrote:
>
> > +1
> >
> > We still have outstanding release blockers for 1.13, so getting this fix
> > in now just prevents extra work in the future without slowing us down
> now.
> > ________________________________
> > From: Owen Nichols <on...@vmware.com>
> > Sent: Monday, August 31, 2020 4:19 PM
> > To: dev@geode.apache.org <de...@geode.apache.org>
> > Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
> >
> > Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> > vulnerability CVE-2020-13933.
> >
> > Analysis shows that Geode does not use Shiro in a manner that would
> expose
> > this vulnerability.
> >
> > The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3
> and
> > 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on
> develop
> > for 6 days and passed all tests.
> >
> > This fix is critical to avoid false positives in automated vulnerability
> > scans. It would be nice to bring to support branches before 1.13.0 is
> > released.
> >
> > Please vote “+1” to approve including this in 1.13.0. If there are any
> -1
> > votes, I’ll wait until after 1.13.0 is done to propose this again.
> >
>
>
> --
> Ju@N
>
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Posted by Sarah Abbey <sa...@vmware.com>.
+1
________________________________
From: Ju@N <ju...@gmail.com>
Sent: Tuesday, September 1, 2020 4:10 AM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
+1
On Tue, 1 Sep 2020 at 01:11, Donal Evans <do...@vmware.com> wrote:
> +1
>
> We still have outstanding release blockers for 1.13, so getting this fix
> in now just prevents extra work in the future without slowing us down now.
> ________________________________
> From: Owen Nichols <on...@vmware.com>
> Sent: Monday, August 31, 2020 4:19 PM
> To: dev@geode.apache.org <de...@geode.apache.org>
> Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
>
> Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> vulnerability CVE-2020-13933.
>
> Analysis shows that Geode does not use Shiro in a manner that would expose
> this vulnerability.
>
> The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 and
> 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on develop
> for 6 days and passed all tests.
>
> This fix is critical to avoid false positives in automated vulnerability
> scans. It would be nice to bring to support branches before 1.13.0 is
> released.
>
> Please vote “+1” to approve including this in 1.13.0. If there are any -1
> votes, I’ll wait until after 1.13.0 is done to propose this again.
>
--
Ju@N
Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
Posted by "Ju@N" <ju...@gmail.com>.
+1
On Tue, 1 Sep 2020 at 01:11, Donal Evans <do...@vmware.com> wrote:
> +1
>
> We still have outstanding release blockers for 1.13, so getting this fix
> in now just prevents extra work in the future without slowing us down now.
> ________________________________
> From: Owen Nichols <on...@vmware.com>
> Sent: Monday, August 31, 2020 4:19 PM
> To: dev@geode.apache.org <de...@geode.apache.org>
> Subject: Proposal to bring GEODE-8456 (shiro upgrade) to support branches
>
> Recently shiro-1.5.3.jar is getting flagged for ‘high’ security
> vulnerability CVE-2020-13933.
>
> Analysis shows that Geode does not use Shiro in a manner that would expose
> this vulnerability.
>
> The risk of bringing GEODE-8456 is low (difference between Shiro 1.5.3 and
> 1.6.0 is bugfix and dependency bump only). GEODE-8456 has been on develop
> for 6 days and passed all tests.
>
> This fix is critical to avoid false positives in automated vulnerability
> scans. It would be nice to bring to support branches before 1.13.0 is
> released.
>
> Please vote “+1” to approve including this in 1.13.0. If there are any -1
> votes, I’ll wait until after 1.13.0 is done to propose this again.
>
--
Ju@N