Date: Fri, 3 Jun 2016 11:26:53 -0400 From: Brian Demers <bdemers@...che.org> To: dev@...ro.apache.org, "user@...ro.apache.org" <user@...ro.apache.org>, security@...ro.apache.org, announce@...ro.apache.org, "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher key is used for the "remember me" feature when not explicitly configured. A request that included a specially crafted request parameter could be used to execute arbitrary code or access content that would otherwise be protected by a security constraint. Mitigation: Users should upgrade to 1.2.5 , ensure a secret cipher key is configured , or disable the "remember me" feature.  All binaries (.jars) are available in Maven Central already. References:  http://shiro.apache.org/download.html  http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues  If using a shiro.ini, "remember me" can be disabled adding the following config line in the '[main]' section: securityManager.rememberMeManager = null
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.