Shiro Devs, I am working on a security update for the shiro package in Debian. The announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that release. However, the specific commit is not identified. Additionally, since neither the announcement nor any available information on the CVE describes the means of exploitation it is not clear how I should proceed to go about backporting the fix.
The 1.6.0 announcement describes the new "Global Filters" feature as helping to mitigate the type of issue described by CVE-2020-13933. It seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is being referred to. However, the change is rather substantial and appears like it would require significant reworking to apply to 1.3.2. If someone could help with the following questions it would be very much appreciated: - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to 1.3.2 possible/feasible? - Would it be possible to obtain information about the exploit to assist with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or with developing a new fix for 1.3.2? - Is there another approach that I should be considering instead? Regards, -Roberto -- Roberto C. Sánchez
