You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by r00t 4dm <r0...@gmail.com> on 2021/02/01 06:36:41 UTC

Re: [ANNOUNCE][CVE-2020-17523] Apache Shiro 1.7.1 released

Hi,

> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html

There pages is not update.

Regards, r00t4dm
Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department

> 2021年2月1日 上午7:00，Benjamin Marwell <bm...@apache.org> 写道：
> 
> The Shiro team is pleased to announce the release of Apache Shiro version 1.7.1.
> 
> This security release contains 1 fix since the 1.7.0 release and is
> available for Download now [1].
> 
> Bug
>    [SHIRO-797] - Shiro 1.7.0 is lower than using springboot version
> 2.0.7 dependency error
> 
> CVE-2020-17523:
>    Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
> specially crafted HTTP request may cause an authentication bypass.
> 
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
> 
> For more information on Shiro, please read the documentation [2].
> 
> -The Apache Shiro Team
> 
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
> 
> --
> Benjamin
> bmarwell@apache.org