Return-Path: <dev-return-7423-archive-asf-public=cust-asf.ponee.io@shiro.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 93AC9200C45
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 28 Mar 2017 20:34:47 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 9246E160B89; Tue, 28 Mar 2017 18:34:47 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id DAA2C160B6B
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 28 Mar 2017 20:34:46 +0200 (CEST)
Received: (qmail 59193 invoked by uid 500); 28 Mar 2017 18:34:46 -0000
Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@shiro.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@shiro.apache.org>
List-Post: <mailto:dev@shiro.apache.org>
List-Id: <dev.shiro.apache.org>
Reply-To: dev@shiro.apache.org
Delivered-To: mailing list dev@shiro.apache.org
Received: (qmail 59160 invoked by uid 99); 28 Mar 2017 18:34:44 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Mar 2017 18:34:44 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 0CCC9C18C3
	for <dev@shiro.apache.org>; Tue, 28 Mar 2017 18:34:44 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id Lg4UsNAFan-e for <dev@shiro.apache.org>;
	Tue, 28 Mar 2017 18:34:43 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 8D9885FACA
	for <dev@shiro.apache.org>; Tue, 28 Mar 2017 18:34:42 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D452CE06C7
	for <dev@shiro.apache.org>; Tue, 28 Mar 2017 18:34:41 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 89A5525CE7
	for <dev@shiro.apache.org>; Tue, 28 Mar 2017 18:34:41 +0000 (UTC)
Date: Tue, 28 Mar 2017 18:34:41 +0000 (UTC)
From: "Brian Demers (JIRA)" <jira@apache.org>
To: dev@shiro.apache.org
Message-ID: <JIRA.13059787.1490719023000.145685.1490726081541@Atlassian.JIRA>
In-Reply-To: <JIRA.13059787.1490719023000@Atlassian.JIRA>
References: <JIRA.13059787.1490719023000@Atlassian.JIRA> <JIRA.13059787.1490719023183@jira-lw-us.apache.org>
Subject: [jira] [Commented] (SHIRO-619) Used Limited access BeanUtilsBean
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 28 Mar 2017 18:34:47 -0000


    [ https://issues.apache.org/jira/browse/SHIRO-619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15945691#comment-15945691 ] 

Brian Demers commented on SHIRO-619:
------------------------------------

Thanks [~YauheniSidarenka]
PR [#40 | https://github.com/apache/shiro/pull/60] should address your concern, though the usage of BeanUtils in Shiro only happens at configuration (application boot up) time.

In the future, please bring up any CVE / security issues to the private lists first security@shiro.apache.org or security@apache.org.
For more info see: https://www.apache.org/security/

> Used Limited access BeanUtilsBean
> ---------------------------------
>
>                 Key: SHIRO-619
>                 URL: https://issues.apache.org/jira/browse/SHIRO-619
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.3.2, 1.4.0-RC2
>            Reporter: Yauheni Sidarenka
>
> This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.
> In my humble opinion, it is not enough just to set the version of commons-beanutils to 1.9.2 or to 1.9.3 in order to fix CVE-2014-0114 vulnerability because mentioned versions *DO NOT* fix it by default. In contrast, the fix should be applied explicitly by beanutils-consuming applications (see INTRODUCTION section in http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).
> So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE, it would be worth to configure _BeanUtilsBean_ as it is recommended in beanutils' release notes.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)