You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2022/10/12 02:44:17 UTC

[shiro-site] branch main updated: add 1.10.0 release blog

This is an automated email from the ASF dual-hosted git repository.

bdemers pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 6dba670b7 add 1.10.0 release blog
6dba670b7 is described below

commit 6dba670b76a2d64650cac9abaa388fe07aac6593
Author: Brian Demers <bd...@apache.org>
AuthorDate: Tue Oct 11 22:44:06 2022 -0400

    add 1.10.0 release blog
---
 .../10/10/2022/apache-shiro-1101-released.adoc     | 77 ++++++++++++++++++++++
 src/site/content/security-reports.adoc             |  4 ++
 2 files changed, 81 insertions(+)

diff --git a/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc b/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc
new file mode 100644
index 000000000..8fa54b708
--- /dev/null
+++ b/src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc
@@ -0,0 +1,77 @@
+////
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+////
+
+= 1.10.0 available with fix CVE-2022-40664
+Brian Demers
+:jbake-date: 2022-10-10 00:00:00
+:jbake-type: post
+:jbake-status: published
+:jbake-tags: blog, release
+:idprefix:
+:icons: font
+
+The Shiro team is pleased to announce the release of Apache Shiro version 1.10.0.
+This is a feature release for 1.x.
+
+This release solves 7 issues since the 1.9.1 release and is available for download now.
+
+== All changes
+
+You can learn more on https://issues.apache.org/jira/projects/SHIRO/versions/12351946[Jira, Release 1.10.0].
+
+=== CVE-2022-40664
+Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
+
+Credit:
+Apache Shiro would like to thank Y4tacker for reporting this issue.
+
+=== Bug
+
+* [https://issues.apache.org/jira/browse/SHIRO-512[SHIRO-512]] - Race condition in Shiro's web container session timeout handling
+* [https://issues.apache.org/jira/browse/SHIRO-887[SHIRO-887]] - FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s)
+
+=== Improvement
+
+* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - fix source jar Reproducible Builds issue
+* [https://issues.apache.org/jira/browse/SHIRO-884[SHIRO-884]] - fix source jar Reproducible Builds issue
+* [https://issues.apache.org/jira/browse/SHIRO-885[SHIRO-885]] - Use OWASP Java Encoder with OSGi manifest
+* [https://issues.apache.org/jira/browse/SHIRO-890[SHIRO-890]] - Avoid another proxy creator when @EnableAspectJAutoProxy enabled
+* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - Allow for direct configuration of ShiroFilter through WebEnvironment
+
+=== Dependency upgrade
+
+* Many dependency updates
+
+=== Behavior Changes
+
+As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests. 
+
+This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true`
+
+== Download
+
+Download and verification instructions are available link:/download.html[on our download page].
+
+== Documentation
+
+For more information on link:/documentation.html[Shiro, please read the documentation.]
+
+Enjoy!
+
+The Apache Shiro Team
diff --git a/src/site/content/security-reports.adoc b/src/site/content/security-reports.adoc
index 1b06f0a85..d195bc0ff 100644
--- a/src/site/content/security-reports.adoc
+++ b/src/site/content/security-reports.adoc
@@ -29,6 +29,10 @@ A http://www.apache.org/security/committers.html[more detailed description of th
 
 == Apache Shiro Vulnerability Reports
 
+=== link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664[CVE-2022-40664]
+
+Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
+
 === link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532[CVE-2022-32532]
 
 Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.