Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 3 Jun 2016 11:26:53 -0400
From: Brian Demers <>
To:, "" <>,,, "" <>,,
Subject: [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted request
parameter could be used to execute arbitrary code or access content that
would otherwise be protected by a security constraint.

Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ