The following was reported on oss-security. shiro doesn't seem to have
any rdeps in Debian.
The Apache Software Foundation
1.0.0-incubating - 1.2.4
A default cipher key is used for the "remember me" feature when not
explicitly configured. A request that included a specially crafted
parameter could be used to execute arbitrary code or access content
would otherwise be protected by a security constraint.
Users should upgrade to 1.2.5 , ensure a secret cipher key is
configured , or disable the "remember me" feature. 
All binaries (.jars) are available in Maven Central already.
 If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
securityManager.rememberMeManager = null
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.