[jira] [Commented] (SHIRO-877) spring4shell CVE means spring upgrades probably needed

Benjamin Marwell (Jira) Sun, 03 Apr 2022 12:28:07 -0700


    [ 
https://issues.apache.org/jira/browse/SHIRO-877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516579#comment-17516579
 ]


Benjamin Marwell commented on SHIRO-877:
----------------------------------------

Hello [~pj.fanning],

we are aware of that announcement, see Brian’s comment here:

{quote}In general opening, an issue isn't the ideal way to ask a question, 
reach out to the mailing list
https://shiro.apache.org/mailing-lists.html

It's hard to say if your application that users Shiro is affected or not, your 
best course of action is to follow the information provided by the Spring team:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

As with other 3rd party libraries, the Shiro project will update to newer 
versions, but your application should be managing its direct dependencies
If you are a Maven user see: 
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

TL;DR - Keep your dependencies updated.{quote}

https://issues.apache.org/jira/browse/SHIRO-876?focusedCommentId=17515521&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17515521

Please also keep in mind opening tickets for security issues is not a good idea:

https://www.apache.org/security/#reporting-a-vulnerability

Please also note that our "spring-webmvc" dependency is only an optional 
dependency.

{quote}
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <optional>true</optional>
        </dependency>
{quote}

Takeaway:

{quote}TL;DR - Keep your dependencies updated.{quote}

> spring4shell CVE means spring upgrades probably needed
> ------------------------------------------------------
>
>                 Key: SHIRO-877
>                 URL: https://issues.apache.org/jira/browse/SHIRO-877
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (SHIRO-877) spring4shell CVE means spring upgrades probably needed

Reply via email to