You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Roberto C. Sánchez" <ro...@debian.org> on 2020/10/05 02:01:06 UTC
Re: Request for assistance to backport CVE-2020-13933 fix
Hi Shiro Devs,
Any chance someone could help with my request?
Regards,
-Roberto
On Thu, Sep 24, 2020 at 02:48:17PM -0400, Roberto C. Sánchez wrote:
> Shiro Devs,
>
> I am working on a security update for the shiro package in Debian. The
> announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that
> release. However, the specific commit is not identified. Additionally,
> since neither the announcement nor any available information on the CVE
> describes the means of exploitation it is not clear how I should proceed
> to go about backporting the fix.
>
> The 1.6.0 announcement describes the new "Global Filters" feature as
> helping to mitigate the type of issue described by CVE-2020-13933. It
> seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is
> being referred to. However, the change is rather substantial and
> appears like it would require significant reworking to apply to 1.3.2.
>
> If someone could help with the following questions it would be very much
> appreciated:
>
> - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to
> 1.3.2 possible/feasible?
> - Would it be possible to obtain information about the exploit to assist
> with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or
> with developing a new fix for 1.3.2?
> - Is there another approach that I should be considering instead?
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
--
Roberto C. Sánchez