You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Benjamin Marwell <bm...@apache.org> on 2021/01/31 23:00:18 UTC

[ANNOUNCE][CVE-2020-17523] Apache Shiro 1.7.1 released

The Shiro team is pleased to announce the release of Apache Shiro version 1.7.1.

This security release contains 1 fix since the 1.7.0 release and is
available for Download now [1].

Bug
    [SHIRO-797] - Shiro 1.7.0 is lower than using springboot version
2.0.7 dependency error

CVE-2020-17523:
    Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
specially crafted HTTP request may cause an authentication bypass.

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

--
Benjamin
bmarwell@apache.org

Re: [ANNOUNCE][CVE-2020-17523] Apache Shiro 1.7.1 released

Posted by r00t 4dm <r0...@gmail.com>.

Hi,

> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html

There pages is not update.

Regards, r00t4dm
Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department

> 2021年2月1日 上午7:00，Benjamin Marwell <bm...@apache.org> 写道：
> 
> The Shiro team is pleased to announce the release of Apache Shiro version 1.7.1.
> 
> This security release contains 1 fix since the 1.7.0 release and is
> available for Download now [1].
> 
> Bug
>    [SHIRO-797] - Shiro 1.7.0 is lower than using springboot version
> 2.0.7 dependency error
> 
> CVE-2020-17523:
>    Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
> specially crafted HTTP request may cause an authentication bypass.
> 
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
> 
> For more information on Shiro, please read the documentation [2].
> 
> -The Apache Shiro Team
> 
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
> 
> --
> Benjamin
> bmarwell@apache.org

Re: [ANNOUNCE][CVE-2020-17523] Apache Shiro 1.7.1 released

Posted by r00t 4dm <r0...@gmail.com>.

Hi,

> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html

There pages is not update.

Regards, r00t4dm
Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department

> 2021年2月1日 上午7:00，Benjamin Marwell <bm...@apache.org> 写道：
> 
> The Shiro team is pleased to announce the release of Apache Shiro version 1.7.1.
> 
> This security release contains 1 fix since the 1.7.0 release and is
> available for Download now [1].
> 
> Bug
>    [SHIRO-797] - Shiro 1.7.0 is lower than using springboot version
> 2.0.7 dependency error
> 
> CVE-2020-17523:
>    Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
> specially crafted HTTP request may cause an authentication bypass.
> 
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
> 
> For more information on Shiro, please read the documentation [2].
> 
> -The Apache Shiro Team
> 
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
> 
> --
> Benjamin
> bmarwell@apache.org