Going to keep this open for a little while longer. We need a few more votes.
On Fri, May 13, 2016 at 10:48 PM, Brian Demers <[email protected]> wrote: > I would like to hear other thoughts/opinions on Richards comments, while I > don't completely agree, he brings up a valid concern (copy / pasting from > examples). > > I have some thoughts around the default serialization and cookie timeout > fix that I'd like to test after this release is out. > > As for any notification, we need to cut the release first. > > > On Fri, May 13, 2016 at 12:41 PM, Richard Bradley < > [email protected]> wrote: > >> I think that the fix to https://issues.apache.org/jira/browse/SHIRO-550 >> still has some remaining issues. I have commented here: >> https://github.com/apache/shiro/commit/64d9f8341e1aa7ef1a29744e16ea7c578ca5deee#commitcomment-17463570 >> >> Further, I think it would be nice if the default cookie mechanisms didn't >> deserialize user-provided values at all, to avoid RCE by those who know (or >> can guess) the encryption key. It would be better if those who knew the key >> were limited to being able to fake a login, rather than being able to own >> the whole server. That seems less urgent than any fix to 550 though. >> >> Are there any plans to alert Shiro users that this release is very >> urgent? I don't have the means or motivation to try to assess the extent of >> this issue in the wild, but I expect that many current users of Shiro are >> open to this serious vulnerability. >> >> Yours, >> >> >> Rich >> >> >> -----Original Message----- >> From: Brian Demers [mailto:[email protected]] >> Sent: 12 May 2016 02:13 >> To: [email protected] >> Subject: [VOTE] Release Apache Shiro 1.2.5 >> >> This is a call to vote in favor of releasing Apache Shiro version 1.2.5. >> This is a bug fix point release from 1.2.x branch. >> >> The following issues are fixed for 1.2.5: >> >> https://issues.apache.org/jira/browse/SHIRO-562?jql=project%20%3D%20SHIRO%20and%20fixVersion%20%3D%201.2.5%20and%20resolution%20%3D%20Fixed >> >> Source: >> >> https://git-wip-us.apache.org/repos/asf?p=shiro.git;a=commit;h=b70bcef984534aaa1b10460c7b2039a1405c1e91 >> >> Staging repo for binaries: >> *https://repository.apache.org/content/repositories/orgapacheshiro-1010 >> <https://repository.apache.org/content/repositories/orgapacheshiro-1010>* >> >> Project website (just for informational purposes, not to be voted upon): >> http://shiro.apache.org/ >> >> Guide to testing staged releases: >> http://maven.apache.org/guides/development/guide-testing-releases.html >> >> Vote open for 72 hours. Please do examine the source and binaries before >> voting. >> >> [ ] +1 >> [ ] +0 >> [ ] -1 (please include reasoning) >> Richard Bradley >> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 >> >> softwire >> Sunday Times Best Small Companies - UK top 25 six years running >> Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter >> : @SoftwireUK<https://twitter.com/SoftwireUK> >> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL >> Softwire Technology Limited. Registered in England no. 3824658. >> Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 >> 2FG >> > >
