I'd say no - it's the incubator release and we want people to move onto the tlp release. The interface changes were tiny, I doubt anybody would have a problem upgrading. If you have a specific need though obviously you could release at will and you'd get our votes.
Kalle On Tue, Nov 2, 2010 at 10:14 PM, Alan D. Cabrera <[email protected]> wrote: > Would it make sense to patch 1.0.0 and make a 1.0.1 release as well? > > > Regards, > Alan > > On Nov 2, 2010, at 9:03 PM, Les Hazlewood wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> CVE-2010-3863: Apache Shiro information disclosure vulnerability >> >> Severity: Important >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> Apache Shiro 1.0.0-incubating >> The unsupported JSecurity 0.9.x versions are also affected >> >> Description: >> Shiro's path-based filter chain mechanism did not normalize request paths >> before performing path-matching logic. The result is that Shiro filter >> chain matching logic was susceptible to potential path traversal attacks. >> >> Mitigation: >> All users should upgrade to 1.1.0 >> >> Example: >> For a shiro.ini [urls] section entry: >> >> /account/** = authc, ... >> /** = anon >> >> This states that all requests to the /account/** pages should be >> authenticated (as indicated by the 'authc' (authentication) filter) in the >> chain definition. >> >> A malicious request could be sent: >> >> GET /./account/index.jsp HTTP/1.1 >> >> And access would be granted because the path was not normalized to >> /account/index.jsp before evaluating the path for a match. >> >> Credit: >> This issue was discovered by Luke Taylor of SpringSource. >> >> References: >> http://shiro.apache.org/configuration.html >> >> Les Hazlewood >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.14 (FreeBSD) >> >> iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6 >> NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw >> 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6 >> +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK >> nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz >> FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF >> d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda >> Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/ >> pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL >> aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q >> Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa >> 7MKcZauaP3nXPuAYVZBc >> =fr+j >> -----END PGP SIGNATURE----- > >
