This is an automated email from the ASF dual-hosted git repository.
bdemers pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro-site.git
The following commit(s) were added to refs/heads/main by this push:
new 6dba670b7 add 1.10.0 release blog
6dba670b7 is described below
commit 6dba670b76a2d64650cac9abaa388fe07aac6593
Author: Brian Demers <[email protected]>
AuthorDate: Tue Oct 11 22:44:06 2022 -0400
add 1.10.0 release blog
---
.../10/10/2022/apache-shiro-1101-released.adoc | 77 ++++++++++++++++++++++
src/site/content/security-reports.adoc | 4 ++
2 files changed, 81 insertions(+)
diff --git
a/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc
b/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc
new file mode 100644
index 000000000..8fa54b708
--- /dev/null
+++ b/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc
@@ -0,0 +1,77 @@
+////
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+////
+
+= 1.10.0 available with fix CVE-2022-40664
+Brian Demers
+:jbake-date: 2022-10-10 00:00:00
+:jbake-type: post
+:jbake-status: published
+:jbake-tags: blog, release
+:idprefix:
+:icons: font
+
+The Shiro team is pleased to announce the release of Apache Shiro version
1.10.0.
+This is a feature release for 1.x.
+
+This release solves 7 issues since the 1.9.1 release and is available for
download now.
+
+== All changes
+
+You can learn more on
https://issues.apache.org/jira/projects/SHIRO/versions/12351946[Jira, Release
1.10.0].
+
+=== CVE-2022-40664
+Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when
forwarding or including via RequestDispatcher.
+
+Credit:
+Apache Shiro would like to thank Y4tacker for reporting this issue.
+
+=== Bug
+
+* [https://issues.apache.org/jira/browse/SHIRO-512[SHIRO-512]] - Race
condition in Shiro's web container session timeout handling
+* [https://issues.apache.org/jira/browse/SHIRO-887[SHIRO-887]] -
FormAuthenticationFilter trims passwords which start and/or end with one or
more space character(s)
+
+=== Improvement
+
+* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - fix source
jar Reproducible Builds issue
+* [https://issues.apache.org/jira/browse/SHIRO-884[SHIRO-884]] - fix source
jar Reproducible Builds issue
+* [https://issues.apache.org/jira/browse/SHIRO-885[SHIRO-885]] - Use OWASP
Java Encoder with OSGi manifest
+* [https://issues.apache.org/jira/browse/SHIRO-890[SHIRO-890]] - Avoid another
proxy creator when @EnableAspectJAutoProxy enabled
+* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - Allow for
direct configuration of ShiroFilter through WebEnvironment
+
+=== Dependency upgrade
+
+* Many dependency updates
+
+=== Behavior Changes
+
+As of 1.10.0, Shiro may filter a request multiple times, e.g. when including
or forwarding requests.
+
+This behavior can be reverted by setting the following property:
`shiro.filterOncePerRequest=true`
+
+== Download
+
+Download and verification instructions are available link:/download.html[on
our download page].
+
+== Documentation
+
+For more information on link:/documentation.html[Shiro, please read the
documentation.]
+
+Enjoy!
+
+The Apache Shiro Team
diff --git a/src/site/content/security-reports.adoc
b/src/site/content/security-reports.adoc
index 1b06f0a85..d195bc0ff 100644
--- a/src/site/content/security-reports.adoc
+++ b/src/site/content/security-reports.adoc
@@ -29,6 +29,10 @@ A http://www.apache.org/security/committers.html[more
detailed description of th
== Apache Shiro Vulnerability Reports
+===
link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664[CVE-2022-40664]
+
+Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when
forwarding or including via RequestDispatcher.
+
===
link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532[CVE-2022-32532]
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be
bypassed on some servlet containers. Applications using RegExPatternMatcher
with `.` in the regular expression are possibly vulnerable to an authorization
bypass.
