Author: jleroux Date: Sun Jun 19 22:30:06 2016 New Revision: 1749220 URL: http://svn.apache.org/viewvc?rev=1749220&view=rev Log: Updates Shiro to 1.2.5 (CVE-2016-4437) - https://issues.apache.org/jira/browse/OFBIZ-7373
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Details at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4437 Added: ofbiz/trunk/framework/base/lib/shiro-core-1.2.5.jar (with props) Removed: ofbiz/trunk/framework/base/lib/shiro-core-1.2.3.jar Modified: ofbiz/trunk/.classpath ofbiz/trunk/LICENSE ofbiz/trunk/build.xml Modified: ofbiz/trunk/.classpath URL: http://svn.apache.org/viewvc/ofbiz/trunk/.classpath?rev=1749220&r1=1749219&r2=1749220&view=diff ============================================================================== --- ofbiz/trunk/.classpath (original) +++ ofbiz/trunk/.classpath Sun Jun 19 22:30:06 2016 @@ -43,7 +43,7 @@ <classpathentry kind="lib" path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/> <classpathentry kind="lib" path="framework/base/lib/resolver-2.9.1.jar"/> <classpathentry kind="lib" path="framework/base/lib/serializer-2.9.1.jar"/> - <classpathentry kind="lib" path="framework/base/lib/shiro-core-1.2.3.jar"/> + <classpathentry kind="lib" path="framework/base/lib/shiro-core-1.2.5.jar"/> <classpathentry kind="lib" path="framework/base/lib/slf4j-api-1.6.4.jar"/> <classpathentry kind="lib" path="framework/base/lib/tika-core-1.12.jar"/> <classpathentry kind="lib" path="framework/base/lib/tika-parsers-1.12.jar"/> Modified: ofbiz/trunk/LICENSE URL: http://svn.apache.org/viewvc/ofbiz/trunk/LICENSE?rev=1749220&r1=1749219&r2=1749220&view=diff ============================================================================== --- ofbiz/trunk/LICENSE (original) +++ ofbiz/trunk/LICENSE Sun Jun 19 22:30:06 2016 @@ -42,7 +42,7 @@ framework/base/lib/nekohtml-1.9.16.jar framework/base/lib/pdfbox-1.8.12.jar framework/base/lib/resolver-2.9.1.jar framework/base/lib/serializer-2.9.1.jar -framework/base/lib/shiro-core-1.2.3.jar +framework/base/lib/shiro-core-1.2.5.jar framework/base/lib/tika-core-1.12.jar framework/base/lib/tika-parsers-1.12.jar framework/base/lib/ws-commons-java5-1.0.1.jar Modified: ofbiz/trunk/build.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/build.xml?rev=1749220&r1=1749219&r2=1749220&view=diff ============================================================================== --- ofbiz/trunk/build.xml (original) +++ ofbiz/trunk/build.xml Sun Jun 19 22:30:06 2016 @@ -1477,7 +1477,7 @@ under the License. <classpath> <path location="framework/base/build/lib/ofbiz-base.jar"/> <path location="framework/base/lib/commons/commons-codec-1.10.jar"/> - <path location="framework/base/lib/shiro-core-1.2.3.jar"/> + <path location="framework/base/lib/shiro-core-1.2.5.jar"/> <path location="framework/base/lib/slf4j-api-1.6.4.jar"/> </classpath> </java> Added: ofbiz/trunk/framework/base/lib/shiro-core-1.2.5.jar URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/shiro-core-1.2.5.jar?rev=1749220&view=auto ============================================================================== Binary file - no diff available. Propchange: ofbiz/trunk/framework/base/lib/shiro-core-1.2.5.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream
