You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by ��������� <hi...@gmail.com> on 2019/12/02 02:10:36 UTC
Update apache shiro to 1.4.2
According to Apache Shiro official page's security-reports, there has vulnerability when using the default “Remember Me” configuration, cookies could be susceptible to a padding attack.
Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be updated to 1.4.2.
cf) https://shiro.apache.org/security-reports.html
Re: Update apache shiro to 1.4.2
Posted by Jeff Zhang <zj...@gmail.com>.
Thanks Alex, feel free to create a PR if you would like to contribute on
this.
Alex Ott <al...@gmail.com> 于2019年12月8日周日 下午8:50写道:
> I've created ZEPPELIN-4472 for this
>
> On Mon, Dec 2, 2019 at 4:25 PM Jeff Zhang <zj...@gmail.com> wrote:
>
> > I think it make sense to upgrade shiro, could you create a ticket for it.
> > And welcome to create a PR to make contribution to Zeppelin.
> >
> > 한병익 <hi...@gmail.com> 于2019年12月2日周一 下午9:38写道:
> >
> > > According to Apache Shiro official page's security-reports, there has
> > > vulnerability when using the default “Remember Me” configuration,
> cookies
> > > could be susceptible to a padding attack.
> > >
> > > Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be
> > > updated to 1.4.2.
> > >
> > > cf) https://shiro.apache.org/security-reports.html
> > >
> >
> >
> > --
> > Best Regards
> >
> > Jeff Zhang
> >
>
>
> --
> With best wishes, Alex Ott
> http://alexott.net/
> Twitter: alexott_en (English), alexott (Russian)
>
--
Best Regards
Jeff Zhang
Re: Update apache shiro to 1.4.2
Posted by Alex Ott <al...@gmail.com>.
I've created ZEPPELIN-4472 for this
On Mon, Dec 2, 2019 at 4:25 PM Jeff Zhang <zj...@gmail.com> wrote:
> I think it make sense to upgrade shiro, could you create a ticket for it.
> And welcome to create a PR to make contribution to Zeppelin.
>
> 한병익 <hi...@gmail.com> 于2019年12月2日周一 下午9:38写道:
>
> > According to Apache Shiro official page's security-reports, there has
> > vulnerability when using the default “Remember Me” configuration, cookies
> > could be susceptible to a padding attack.
> >
> > Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be
> > updated to 1.4.2.
> >
> > cf) https://shiro.apache.org/security-reports.html
> >
>
>
> --
> Best Regards
>
> Jeff Zhang
>
--
With best wishes, Alex Ott
http://alexott.net/
Twitter: alexott_en (English), alexott (Russian)
Re: Update apache shiro to 1.4.2
Posted by Jeff Zhang <zj...@gmail.com>.
I think it make sense to upgrade shiro, could you create a ticket for it.
And welcome to create a PR to make contribution to Zeppelin.
한병익 <hi...@gmail.com> 于2019年12月2日周一 下午9:38写道:
> According to Apache Shiro official page's security-reports, there has
> vulnerability when using the default “Remember Me” configuration, cookies
> could be susceptible to a padding attack.
>
> Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be
> updated to 1.4.2.
>
> cf) https://shiro.apache.org/security-reports.html
>
--
Best Regards
Jeff Zhang