Hi Roberto, I found your email in my spam folder. Maybe this is the reason why noone answered.
There will probably no backport for the CVE you mentioned. On the contrary, there were multiple other CVEs in the meantime. I can highly recommend you to update to SHIRO 1.6.0 and stay updated as much as possible. Is there a specific reason why you want to stay on 1.3.2? As far as I know, there was no version of shiro which introduced incompatibilities. Best regards, Ben Am Fr., 18. Dez. 2020 um 02:08 Uhr schrieb Roberto C. Sánchez < [email protected]>: > bump > > On Thu, Sep 24, 2020 at 02:48:17PM -0400, Roberto C. Sánchez wrote: > > Shiro Devs, > > > > I am working on a security update for the shiro package in Debian. The > > announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that > > release. However, the specific commit is not identified. Additionally, > > since neither the announcement nor any available information on the CVE > > describes the means of exploitation it is not clear how I should proceed > > to go about backporting the fix. > > > > The 1.6.0 announcement describes the new "Global Filters" feature as > > helping to mitigate the type of issue described by CVE-2020-13933. It > > seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is > > being referred to. However, the change is rather substantial and > > appears like it would require significant reworking to apply to 1.3.2. > > > > If someone could help with the following questions it would be very much > > appreciated: > > > > - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to > > 1.3.2 possible/feasible? > > - Would it be possible to obtain information about the exploit to assist > > with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or > > with developing a new fix for 1.3.2? > > - Is there another approach that I should be considering instead? > > > > Regards, > > > > -Roberto > > > > -- > > Roberto C. Sánchez > > -- > Roberto C. Sánchez >
