shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Demers <brian.dem...@gmail.com>
Subject Re: [VOTE] Release Apache Shiro 1.2.5
Date Sat, 14 May 2016 02:48:17 GMT
I would like to hear other thoughts/opinions on Richards comments, while I
don't completely agree, he brings up a valid concern (copy / pasting from
examples).

I have some thoughts around the default serialization and cookie timeout
fix that I'd like to test after this release is out.

As for any notification, we need to cut the release first.


On Fri, May 13, 2016 at 12:41 PM, Richard Bradley <
Richard.Bradley@softwire.com> wrote:

> I think that the fix to https://issues.apache.org/jira/browse/SHIRO-550
> still has some remaining issues. I have commented here:
> https://github.com/apache/shiro/commit/64d9f8341e1aa7ef1a29744e16ea7c578ca5deee#commitcomment-17463570
>
> Further, I think it would be nice if the default cookie mechanisms didn't
> deserialize user-provided values at all, to avoid RCE by those who know (or
> can guess) the encryption key. It would be better if those who knew the key
> were limited to being able to fake a login, rather than being able to own
> the whole server. That seems less urgent than any fix to 550 though.
>
> Are there any plans to alert Shiro users that this release is very urgent?
> I don't have the means or motivation to try to assess the extent of this
> issue in the wild, but I expect that many current users of Shiro are open
> to this serious vulnerability.
>
> Yours,
>
>
> Rich
>
>
> -----Original Message-----
> From: Brian Demers [mailto:brian.demers@gmail.com]
> Sent: 12 May 2016 02:13
> To: dev@shiro.apache.org
> Subject: [VOTE] Release Apache Shiro 1.2.5
>
> This is a call to vote in favor of releasing Apache Shiro version 1.2.5.
> This is a bug fix point release from 1.2.x branch.
>
> The following issues are fixed for 1.2.5:
>
> https://issues.apache.org/jira/browse/SHIRO-562?jql=project%20%3D%20SHIRO%20and%20fixVersion%20%3D%201.2.5%20and%20resolution%20%3D%20Fixed
>
> Source:
>
> https://git-wip-us.apache.org/repos/asf?p=shiro.git;a=commit;h=b70bcef984534aaa1b10460c7b2039a1405c1e91
>
> Staging repo for binaries:
> *https://repository.apache.org/content/repositories/orgapacheshiro-1010
> <https://repository.apache.org/content/repositories/orgapacheshiro-1010>*
>
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open for 72 hours. Please do examine the source and binaries before
> voting.
>
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> Richard Bradley
> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>
> softwire
> Sunday Times Best Small Companies - UK top 25 six years running
> Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter :
> @SoftwireUK<https://twitter.com/SoftwireUK>
> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
> Softwire Technology Limited. Registered in England no. 3824658. Registered
> Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message