Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH9eYVqvceWHY8M0BhqUaE0=UMKxGvNWMvimypCYqpGMsqMTQg@mail.gmail.com>
Date: Fri, 3 Jun 2016 11:26:53 -0400
From: Brian Demers <bdemers@...che.org>
To: dev@...ro.apache.org, "user@...ro.apache.org" <user@...ro.apache.org>, security@...ro.apache.org, 
	announce@...ro.apache.org, "security@...che.org" <security@...che.org>, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted request
parameter could be used to execute arbitrary code or access content that
would otherwise be protected by a security constraint.

Mitigation:
Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

References:
[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.