shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel M." <dan4bear-t...@yahoo.com.INVALID>
Subject Re: [VOTE] Release Apache Shiro 1.2.5
Date Mon, 16 May 2016 20:48:12 GMT
Not that my vote counts but I vote "YES" if the release has this fix:
[SHIRO-442] CAS client fails with multi-valued SAML attributes - ASF JIRA

  
|  
|   
|   
|   |    |

   |

  |
|  
|   |  
[SHIRO-442] CAS client fails with multi-valued SAML attributes - ASF JIRA
   |   |

  |

  |

 


    On Monday, May 16, 2016 3:20 PM, Brian Demers <brian.demers@gmail.com> wrote:
 

 Going to keep this open for a little while longer. We need a few more votes.

On Fri, May 13, 2016 at 10:48 PM, Brian Demers <brian.demers@gmail.com>
wrote:

> I would like to hear other thoughts/opinions on Richards comments, while I
> don't completely agree, he brings up a valid concern (copy / pasting from
> examples).
>
> I have some thoughts around the default serialization and cookie timeout
> fix that I'd like to test after this release is out.
>
> As for any notification, we need to cut the release first.
>
>
> On Fri, May 13, 2016 at 12:41 PM, Richard Bradley <
> Richard.Bradley@softwire.com> wrote:
>
>> I think that the fix to https://issues.apache.org/jira/browse/SHIRO-550
>> still has some remaining issues. I have commented here:
>> https://github.com/apache/shiro/commit/64d9f8341e1aa7ef1a29744e16ea7c578ca5deee#commitcomment-17463570
>>
>> Further, I think it would be nice if the default cookie mechanisms didn't
>> deserialize user-provided values at all, to avoid RCE by those who know (or
>> can guess) the encryption key. It would be better if those who knew the key
>> were limited to being able to fake a login, rather than being able to own
>> the whole server. That seems less urgent than any fix to 550 though.
>>
>> Are there any plans to alert Shiro users that this release is very
>> urgent? I don't have the means or motivation to try to assess the extent of
>> this issue in the wild, but I expect that many current users of Shiro are
>> open to this serious vulnerability.
>>
>> Yours,
>>
>>
>> Rich
>>
>>
>> -----Original Message-----
>> From: Brian Demers [mailto:brian.demers@gmail.com]
>> Sent: 12 May 2016 02:13
>> To: dev@shiro.apache.org
>> Subject: [VOTE] Release Apache Shiro 1.2.5
>>
>> This is a call to vote in favor of releasing Apache Shiro version 1.2.5.
>> This is a bug fix point release from 1.2.x branch.
>>
>> The following issues are fixed for 1.2.5:
>>
>> https://issues.apache.org/jira/browse/SHIRO-562?jql=project%20%3D%20SHIRO%20and%20fixVersion%20%3D%201.2.5%20and%20resolution%20%3D%20Fixed
>>
>> Source:
>>
>> https://git-wip-us.apache.org/repos/asf?p=shiro.git;a=commit;h=b70bcef984534aaa1b10460c7b2039a1405c1e91
>>
>> Staging repo for binaries:
>> *https://repository.apache.org/content/repositories/orgapacheshiro-1010
>> <https://repository.apache.org/content/repositories/orgapacheshiro-1010>*
>>
>> Project website (just for informational purposes, not to be voted upon):
>> http://shiro.apache.org/
>>
>> Guide to testing staged releases:
>> http://maven.apache.org/guides/development/guide-testing-releases.html
>>
>> Vote open for 72 hours. Please do examine the source and binaries before
>> voting.
>>
>> [ ] +1
>> [ ] +0
>> [ ] -1 (please include reasoning)
>> Richard Bradley
>> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>>
>> softwire
>> Sunday Times Best Small Companies - UK top 25 six years running
>> Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter
>> : @SoftwireUK<https://twitter.com/SoftwireUK>
>> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
>> Softwire Technology Limited. Registered in England no. 3824658.
>> Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3
>> 2FG
>>
>
>


   
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message