shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Bradley <Richard.Brad...@softwire.com>
Subject RE: [VOTE] Release Apache Shiro 1.2.5
Date Fri, 13 May 2016 16:41:47 GMT
I think that the fix to https://issues.apache.org/jira/browse/SHIRO-550 still has some remaining
issues. I have commented here: https://github.com/apache/shiro/commit/64d9f8341e1aa7ef1a29744e16ea7c578ca5deee#commitcomment-17463570

Further, I think it would be nice if the default cookie mechanisms didn't deserialize user-provided
values at all, to avoid RCE by those who know (or can guess) the encryption key. It would
be better if those who knew the key were limited to being able to fake a login, rather than
being able to own the whole server. That seems less urgent than any fix to 550 though.

Are there any plans to alert Shiro users that this release is very urgent? I don't have the
means or motivation to try to assess the extent of this issue in the wild, but I expect that
many current users of Shiro are open to this serious vulnerability.

Yours,


Rich


-----Original Message-----
From: Brian Demers [mailto:brian.demers@gmail.com]
Sent: 12 May 2016 02:13
To: dev@shiro.apache.org
Subject: [VOTE] Release Apache Shiro 1.2.5

This is a call to vote in favor of releasing Apache Shiro version 1.2.5.
This is a bug fix point release from 1.2.x branch.

The following issues are fixed for 1.2.5:
https://issues.apache.org/jira/browse/SHIRO-562?jql=project%20%3D%20SHIRO%20and%20fixVersion%20%3D%201.2.5%20and%20resolution%20%3D%20Fixed

Source:
https://git-wip-us.apache.org/repos/asf?p=shiro.git;a=commit;h=b70bcef984534aaa1b10460c7b2039a1405c1e91

Staging repo for binaries:
*https://repository.apache.org/content/repositories/orgapacheshiro-1010
<https://repository.apache.org/content/repositories/orgapacheshiro-1010>*

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours. Please do examine the source and binaries before voting.

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)
Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575

softwire
Sunday Times Best Small Companies - UK top 25 six years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery
Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
Mime
View raw message