Hey Roberto, Sorry about the delay on this one, I originally thought we had answered your question.
The commit you are looking for is https://github.com/apache/shiro/commit/dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d If you are maintaining a 1.3.x package this is going to become more difficult, is it possible to deprecate it and move to a recent version? On Sat, Jan 30, 2021 at 4:45 PM Roberto C. Sánchez <[email protected]> wrote: > Bump. > > On Tue, Dec 22, 2020 at 09:30:47AM -0500, Roberto C. Sánchez wrote: > > On Mon, Dec 21, 2020 at 09:33:44PM +0100, Benjamin Marwell wrote: > > > Hi Roberto, > > > > > > after talking to the PMC chair, I can give you three commit links. > > > > > > > https://github.com/apache/shiro/commit/042c59356cc6442345a9f935aed3e7603cb4dfad > > > > https://github.com/apache/shiro/commit/5b1add9a4c4ed046b52cf2132ed0f264a22caf1d > > > > https://github.com/apache/shiro/commit/1b9d8d99cd6d50d7114916508a13677a0fe6f345 > > > > > > I guess it is quite obvious what is inside these commits. > > > > > Hi Ben, > > > > This commits seem to have been made after the 1.6.0 release and before > > the 1.7.0 release. My belief is that they address CVE-2020-17510. Can > > you tell me if dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is the commit > > that addresses CVE-2020-13933? Are there other commits that go along > > with it to completely remedy CVE-2020-13933? > > > > Regards, > > > > -Roberto > > > > -- > > Roberto C. Sánchez > > -- > Roberto C. Sánchez >
