I think that the fix to https://issues.apache.org/jira/browse/SHIRO-550 still has some remaining issues. I have commented here: https://github.com/apache/shiro/commit/64d9f8341e1aa7ef1a29744e16ea7c578ca5deee#commitcomment-17463570
Further, I think it would be nice if the default cookie mechanisms didn't deserialize user-provided values at all, to avoid RCE by those who know (or can guess) the encryption key. It would be better if those who knew the key were limited to being able to fake a login, rather than being able to own the whole server. That seems less urgent than any fix to 550 though. Are there any plans to alert Shiro users that this release is very urgent? I don't have the means or motivation to try to assess the extent of this issue in the wild, but I expect that many current users of Shiro are open to this serious vulnerability. Yours, Rich -----Original Message----- From: Brian Demers [mailto:[email protected]] Sent: 12 May 2016 02:13 To: [email protected] Subject: [VOTE] Release Apache Shiro 1.2.5 This is a call to vote in favor of releasing Apache Shiro version 1.2.5. This is a bug fix point release from 1.2.x branch. The following issues are fixed for 1.2.5: https://issues.apache.org/jira/browse/SHIRO-562?jql=project%20%3D%20SHIRO%20and%20fixVersion%20%3D%201.2.5%20and%20resolution%20%3D%20Fixed Source: https://git-wip-us.apache.org/repos/asf?p=shiro.git;a=commit;h=b70bcef984534aaa1b10460c7b2039a1405c1e91 Staging repo for binaries: *https://repository.apache.org/content/repositories/orgapacheshiro-1010 <https://repository.apache.org/content/repositories/orgapacheshiro-1010>* Project website (just for informational purposes, not to be voted upon): http://shiro.apache.org/ Guide to testing staged releases: http://maven.apache.org/guides/development/guide-testing-releases.html Vote open for 72 hours. Please do examine the source and binaries before voting. [ ] +1 [ ] +0 [ ] -1 (please include reasoning) Richard Bradley Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 softwire Sunday Times Best Small Companies - UK top 25 six years running Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
