Your message dated Fri, 27 Aug 2021 17:34:54 +0000
with message-id <[email protected]>
and subject line Bug#955018: fixed in shiro 1.3.2-5
has caused the Debian Bug report #955018,
regarding shiro: CVE-2020-1957
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
955018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955018
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shiro
Version: 1.3.2-4
Severity: important
Tags: security upstream
Control: found -1 1.3.2-1
Hi,
The following vulnerability was published for shiro.
CVE-2020-1957[0]:
| Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic
| controllers, a specially crafted request may cause an authentication
| bypass.
There is no reference to upstream issues or fixes, can you check?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-1957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1957
[1] https://www.openwall.com/lists/oss-security/2020/03/23/2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shiro
Source-Version: 1.3.2-5
Done: Roberto C. Sánchez <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shiro, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roberto C. Sánchez <[email protected]> (supplier of updated shiro package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Aug 2021 13:10:19 -0400
Source: shiro
Architecture: source
Version: 1.3.2-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Roberto C. Sánchez <[email protected]>
Closes: 955018 968753
Changes:
shiro (1.3.2-5) unstable; urgency=medium
.
* Team upload.
* Update patch for Spring Framework 4.3.x build failure.
* Cherry-pick upstream patch with Guice improvements.
* CVE-2020-1957: Fix a path-traversal issue where a specially-crafted request
could cause an authentication bypass. (Closes: #955018)
* CVE-2020-11989: Fix an encoding issue introduced in the handling of the
previous CVE-2020-1957 path-traversal issue which could have also caused an
authentication bypass.
* CVE-2020-13933: Fix an authentication bypass resulting from a specially
crafted HTTP request. (Closes: #968753)
* CVE-2020-17510: Fix an authentication bypass resulting from a specially
crafted HTTP request.
Checksums-Sha1:
480e59dd370ce6d79ea177f51a00f563455962d6 2272 shiro_1.3.2-5.dsc
fcc8b1b28f0f1fd02f2f27e6dbb0a8b58c0dc3ac 20652 shiro_1.3.2-5.debian.tar.xz
da681283559c80260cf6853495b0049fd5313dcc 13566 shiro_1.3.2-5_amd64.buildinfo
Checksums-Sha256:
3dc9863e96e8339b19f286c6f376be0f81d5e7b9a85912ba61f972b468b1169c 2272
shiro_1.3.2-5.dsc
949fd3320047c46b1aac4a1c39a7c053561738c5b10e4633585c0daa06966730 20652
shiro_1.3.2-5.debian.tar.xz
d457edfc1dec67963dc2966f5d0b0f44856e084cfa1847f739dfad3d842602e1 13566
shiro_1.3.2-5_amd64.buildinfo
Files:
61010d12ea9f8ef46464e068d50b4076 2272 java optional shiro_1.3.2-5.dsc
4d756ea1c2391edaba436e5f8f22b9dd 20652 java optional
shiro_1.3.2-5.debian.tar.xz
c9d2453f90ae8706bbb57f43f2c9075b 13566 java optional
shiro_1.3.2-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmEpHfgACgkQLNd4Xt2n
sg9Z4w//dMz/2YHROdoj53BolUBC3VyEP6tZKFWVUq6LWHaGp4LkkhiLQEskivVV
b5OL4/ztUWVS+jM6HeRUPlsu9ZkqNc5FhysHBZCdNUA9M5alLD6dsVLAIv8o+nmF
oyugyqlSnPFHKu6eojavIFwyp3My+BLHEoyNDwlqtqTv7U2QIiKDdQHTYffXexT9
8zZtgT9TbOefur+xW0peqNfRAi0Fl8mwHVCHDelMp0l9eEdpBqNPTrLZbUsgWPe5
NAKRBdidnk9vrgCoImK5Yvf9e2wox1OU+uyabfGv2tNTomD5Yjvi9okhi12PeUyN
X4xixcu50zK27QC3lbNzxVCpKK4ZLPXooBN9WN7Rz1aXePCdAI0xKnOD/JwSbRMQ
CRS85mkle0NA37zmLJMEKsLM/jKBMMx2575rC/Q6mWdsvhNxV9tL6YOwmu+yfXIq
uUA0TUegH/UGhLXiPcDctSZ7Cbfle5DzKZewjya6yuSxHDoukFVO+urMbFDewypf
4UgLw+4G3tMz7XwvnvDzLMG4xnp8WciG8d6+TzH5qGGuRK1yh545YezE+L4qtVAh
/wAUuubQiVmhX28CPSXPZLqsUjyZeLSl7KNyiqCBeru59O7pCUHGkVtSiOjSL38J
7vAyRwFQM7q0kMwdjxcuPw49/aVd9GEtU7u0F96wR7LSih99RuA=
=c9YY
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
