Date: Fri, 3 Jun 2016 11:26:53 -0400 From: Brian Demers <bdemers@...che.org> To: dev@...ro.apache.org, "user@...ro.apache.org" <user@...ro.apache.org>, security@...ro.apache.org, announce@...ro.apache.org, "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher key is used for the "remember me" feature when not explicitly configured. A request that included a specially crafted request parameter could be used to execute arbitrary code or access content that would otherwise be protected by a security constraint. Mitigation: Users should upgrade to 1.2.5 , ensure a secret cipher key is configured , or disable the "remember me" feature.  All binaries (.jars) are available in Maven Central already. References:  http://shiro.apache.org/download.html  http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues  If using a shiro.ini, "remember me" can be disabled adding the following config line in the '[main]' section: securityManager.rememberMeManager = null
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ