(ofbiz-framework) branch release18.12 updated: Reverted: Upgrade Apache Shiro to 1.13.0 to fix CVE-2023-46750 (OFBIZ-12866)" This reverts commit f76c08b0ac64de35fcc458e2ef2a6660507502e0. This reverts commit 854b3225befa62f6cce694dbaab4dd3953fa9906.

Wed, 15 Nov 2023 02:50:00 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 7935a14627 Reverted: Upgrade Apache Shiro to 1.13.0 to fix 
CVE-2023-46750 (OFBIZ-12866)" This reverts commit 
f76c08b0ac64de35fcc458e2ef2a6660507502e0. This reverts commit 
854b3225befa62f6cce694dbaab4dd3953fa9906.
7935a14627 is described below

commit 7935a14627a86325440516ac6b892a5f9d635e4d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Nov 15 11:42:37 2023 +0100

    Reverted: Upgrade Apache Shiro to 1.13.0 to fix CVE-2023-46750 
(OFBIZ-12866)"
    This reverts commit f76c08b0ac64de35fcc458e2ef2a6660507502e0.
    This reverts commit 854b3225befa62f6cce694dbaab4dd3953fa9906.
    
    OFBiz is not concerned by CVE-2023-46750
    
    As we don't use Shiro form authentication we can keep the previous setting.
    We use Shiro only to encrypt and decrypt date in EntityCrypto class.
---
 build.gradle                                                          | 2 +-
 .../base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java     | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 3ac4f9a40e..c7afc0392b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -209,7 +209,7 @@ dependencies {
     compile 'org.apache.logging.log4j:log4j-web:2.17.2' //???
     compile 'org.apache.poi:poi:3.17'
     compile 'org.apache.pdfbox:pdfbox:2.0.24'
-    compile 'org.apache.shiro:shiro-core:1.13.0'
+    compile 'org.apache.shiro:shiro-core:1.4.0'
     compile 'org.apache.sshd:sshd-core:1.7.0'
     compile 'org.apache.tika:tika-core:1.28.4'
     compile 'org.apache.tika:tika-parsers:1.28.4'
diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java
index 0d907bfe41..924b4b65c5 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java
@@ -130,11 +130,9 @@ public class DesCrypt {
     // return a cipher for a key - DESede/CBC/PKCS5Padding with random IV
     protected static Cipher getCipher(Key key, int mode, IvParameterSpec iv) 
throws GeneralException {
         // create the Cipher - DESede/CBC/PKCS5Padding
-        // create the Cipher - AES/CBC/PKCS5Padding
         Cipher cipher = null;
         try {
-            //cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
-            cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+            cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
         } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
             throw new GeneralException(e);
         }

Reply via email to