shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject [ANN] Apache Shiro 1.1.0 Released!
Date Wed, 03 Nov 2010 03:59:16 GMT
Dear Apache Shiro Community,

The Shiro team is pleased to announce our first release as an Apache
Top Level Project, Apache Shiro version 1.1.0.

This release includes a number of bug fixes, new features and one
important security vulnerability fix (noted at the end of this email)
- it is recommended that users upgrade to 1.1.0 as soon as possible.

This release is available from http://shiro.apache.org/download.html.

All binaries are available in Maven Central already.  Please note that
most of the Apache mirrors have been updated to reflect the source
distribution, but some mirrors may not be updated yet.  If a mirror
download link does not work, please try another or wait another 12 to
24 hours.

Release Notes:

Release Notes - Shiro - Version 1.1.0

** Bug
    * [SHIRO-172] - Missing SVN properties
    * [SHIRO-177] - Wron SimpleCookie expires locale
    * [SHIRO-181] - Typo in IniShiroFilter javadoc
    * [SHIRO-182] - SimpleSession cannot be deserialized
    * [SHIRO-183] - Unable to correctly extract the Initialization
Vector or ciphertext
    * [SHIRO-185] - Shiro Annotations in Spring apps:  annotations on
method implementations not handled when using Spring's
DefaultAutoProxyCreator
    * [SHIRO-190] - PortFilter not accepting custom port
    * [SHIRO-199] - Session Validation thread does not notify
SessionListeners or cleans orphans
    * [SHIRO-201] - SessionsSecurityManager destroy() doesn't call
super.destroy()

** Improvement
    * [SHIRO-175] - Improve Set of permission and role checks
    * [SHIRO-176] - AuthenticationInfo instances should be able to
return stored salt
    * [SHIRO-180] - Upgrade 3rd party dependencies to latest stable versions
    * [SHIRO-186] - Credentials Hashing: AuthenticationInfo should be
able to return a salt for credentials comparison
    * [SHIRO-191] - Change all StringBuffer usages to StringBuilder
    * [SHIRO-196] - Change any remaining usages of StringBuffer to
StringBuilder where possible
    * [SHIRO-204] - Deprecate subclasses of HashedCredentialsMatcher
and cleanup Hash implementations

** New Feature
    * [SHIRO-27] - OSGi support
    * [SHIRO-166] - Complete and realistic webapplication example (but
without Spring)
    * [SHIRO-173] - Make the HttpMethodPermissionFilter as the 'rest'
filter in the pool of default filters
    * [SHIRO-189] - Make existing Shiro .jars OSGi bundles

** Task
    * [SHIRO-168] - Remove all @Author tags
    * [SHIRO-209] - Remove Atlassian Crowd support module from source
release until license compatibility can be verified

Enjoy!

The Apache Shiro team

-------
Below this line is the CVE report concerning the discovered security
vulnerability fixed in 1.1.0.  We advise all users to upgrade to 1.1.0
as soon as possible.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2010-3863: Apache Shiro information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Shiro 1.0.0-incubating
The unsupported JSecurity 0.9.x versions are also affected

Description:
Shiro's path-based filter chain mechanism did not normalize request paths
before performing path-matching logic.  The result is that Shiro filter
chain matching logic was susceptible to potential path traversal attacks.

Mitigation:
All users should upgrade to 1.1.0

Example:
For a shiro.ini [urls] section entry:

/account/** = authc, ...
/** = anon

This states that all requests to the /account/** pages should be
authenticated (as indicated by the 'authc' (authentication) filter) in the
chain definition.

A malicious request could be sent:

GET /./account/index.jsp HTTP/1.1

And access would be granted because the path was not normalized to
/account/index.jsp before evaluating the path for a match.

Credit:
This issue was discovered by Luke Taylor of SpringSource.

References:
http://shiro.apache.org/configuration.html

Les Hazlewood
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
7MKcZauaP3nXPuAYVZBc
=fr+j
-----END PGP SIGNATURE-----

Mime
View raw message