Hi Brian, Thanks for your help. I am working to backport dc194fc977ab to address CVE-2020-13933 and after that I will move on to the fixes for CVE-2020-17510 and CVE-2020-17523.
As far as the maintainability of a 1.3.x package, upgrading to a newer version is not an option for two reasons. First, I am working on addressing these vulnerabilities in Debian Stretch, which is in the LTS stage of its lifecycle, making an update to a new upstream release very unlikely. Second, the shiro package in Debian was last updated about 2 years ago and even in Debian unstable 1.3.x is the highest available version. Any update to a new upstream version would need to start in the unstable distribution. As an additional complication, the activemq package in Debian depends on the shiro package, so a shiro update would need to be coordinated in a that ensures it doesn't break activemq. That said, I will bring the issue up to see if I can get an update started so that at the least the next Debian stable release has something more recent. Regards, -Roberto On Tue, Mar 16, 2021 at 05:50:50PM -0400, Brian Demers wrote: > Hey Roberto, > > Sorry about the delay on this one, I originally thought we had answered > your question. > > The commit you are looking for is > https://github.com/apache/shiro/commit/dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d > > If you are maintaining a 1.3.x package this is going to become more > difficult, is it possible to deprecate it and move to a recent version? > > > > On Sat, Jan 30, 2021 at 4:45 PM Roberto C. Sánchez <[email protected]> > wrote: > > > Bump. > > > > On Tue, Dec 22, 2020 at 09:30:47AM -0500, Roberto C. Sánchez wrote: > > > On Mon, Dec 21, 2020 at 09:33:44PM +0100, Benjamin Marwell wrote: > > > > Hi Roberto, > > > > > > > > after talking to the PMC chair, I can give you three commit links. > > > > > > > > > > https://github.com/apache/shiro/commit/042c59356cc6442345a9f935aed3e7603cb4dfad > > > > > > https://github.com/apache/shiro/commit/5b1add9a4c4ed046b52cf2132ed0f264a22caf1d > > > > > > https://github.com/apache/shiro/commit/1b9d8d99cd6d50d7114916508a13677a0fe6f345 > > > > > > > > I guess it is quite obvious what is inside these commits. > > > > > > > Hi Ben, > > > > > > This commits seem to have been made after the 1.6.0 release and before > > > the 1.7.0 release. My belief is that they address CVE-2020-17510. Can > > > you tell me if dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is the commit > > > that addresses CVE-2020-13933? Are there other commits that go along > > > with it to completely remedy CVE-2020-13933? > > > > > > Regards, > > > > > > -Roberto > > > > > > -- > > > Roberto C. Sánchez > > > > -- > > Roberto C. Sánchez > > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
