UbuntuUpdates.org

Package "libshiro-java"

Name: libshiro-java

Description:

Apache Shiro - Java Security Framework

Latest version: 1.3.2-4ubuntu0.2
Release: focal (20.04)
Level: security
Repository: universe
Head package: shiro
Homepage: http://shiro.apache.org

Links


Download "libshiro-java"


Other versions of "libshiro-java" in Focal

Repository Area Version
base universe 1.3.2-4
updates universe 1.3.2-4ubuntu0.2

Changelog

Version: 1.3.2-4ubuntu0.2 2023-09-07 04:09:21 UTC

  shiro (1.3.2-4ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: improper authentication issue when receiving specially
    crafted HTTP request
    - debian/patches/CVE-2020-13933.patch: new global filter added to block
      invalid requests.
    - debian/patches/CVE-2020-17510_1_of_2.patch: enable normalization of
      backslashes in invalid request filter.
    - debian/patches/CVE-2020-17510_2_of_2.patch: disable session ID URL
      rewriting by default.
    - debian/patches/CVE-2020-1957_11989.patch: patch updated with additional
      testing.
    - debian/patches/05-guice-improvements.patch: support for Guice 4 added
      with patch also acting as an additional commit for the above patches.
    - CVE-2020-13933
    - CVE-2020-17510

 -- Evan Caville <email address hidden> Tue, 08 Aug 2023 12:30:46 +1000

Source diff to previous version
CVE-2020-13933 Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-17510 Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-1957 Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Version: 1.3.2-4ubuntu0.1 2021-02-18 21:06:18 UTC

  shiro (1.3.2-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Improper Authentication
    - debian/patches/CVE-2020-1957_11989.patch: Fix a path-traversal issue
      where a specially-crafted request could cause an authentication bypass.
    - CVE-2020-1957
    - CVE-2020-11989

 -- Paulo Flabiano Smorigo <email address hidden> Thu, 11 Feb 2021 12:53:26 +0000

CVE-2020-1957 Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CVE-2020-11989 Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.



About   -   Send Feedback to @ubuntu_updates