Hi Shiro Devs, Any chance someone could help with my request?
Regards, -Roberto On Thu, Sep 24, 2020 at 02:48:17PM -0400, Roberto C. Sánchez wrote: > Shiro Devs, > > I am working on a security update for the shiro package in Debian. The > announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that > release. However, the specific commit is not identified. Additionally, > since neither the announcement nor any available information on the CVE > describes the means of exploitation it is not clear how I should proceed > to go about backporting the fix. > > The 1.6.0 announcement describes the new "Global Filters" feature as > helping to mitigate the type of issue described by CVE-2020-13933. It > seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is > being referred to. However, the change is rather substantial and > appears like it would require significant reworking to apply to 1.3.2. > > If someone could help with the following questions it would be very much > appreciated: > > - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to > 1.3.2 possible/feasible? > - Would it be possible to obtain information about the exploit to assist > with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or > with developing a new fix for 1.3.2? > - Is there another approach that I should be considering instead? > > Regards, > > -Roberto > > -- > Roberto C. Sánchez -- Roberto C. Sánchez
