Your message dated Sun, 12 Jun 2016 19:19:17 +0000
with message-id <e1bcauj-0003ce...@franck.debian.org>
and subject line Bug#826653: fixed in shiro 1.2.5-1
has caused the Debian Bug report #826653,
regarding CVE-2016-4437
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
826653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: shiro
Severity: grave
Tags: security
The following was reported on oss-security. shiro doesn't seem to have
any rdeps in Debian.
Cheers,
Moritz
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
1.0.0-incubating - 1.2.4
Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured. A request that included a specially crafted
request
parameter could be used to execute arbitrary code or access content
that
would otherwise be protected by a security constraint.
Mitigation:
Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]
All binaries (.jars) are available in Maven Central already.
References:
[1] http://shiro.apache.org/download.html
[2]
http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
securityManager.rememberMeManager = null
--- End Message ---
--- Begin Message ---
Source: shiro
Source-Version: 1.2.5-1
We believe that the bug you reported is fixed in the latest version of
shiro, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 826...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated shiro package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Jun 2016 11:57:59 -0700
Source: shiro
Binary: libshiro-java
Architecture: source all
Version: 1.2.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Description:
libshiro-java - Apache Shiro - Java Security Framework
Closes: 797296 826653
Changes:
shiro (1.2.5-1) unstable; urgency=high
.
* Team upload.
* New upstream release.
Fixes CVE-2016-4437 (Closes: #826653)
* Bump Standards-Version to 3.9.8 (no changes).
* Include reproducible build patch.
Thank you to Chris Lamb. (Closes: #797296)
Checksums-Sha1:
73795ee606e4406ce9004ec7209b3480da741d13 2228 shiro_1.2.5-1.dsc
e46f46adefd5a6c8e1b3bbd5dc9a00957a4510cf 416288 shiro_1.2.5.orig.tar.xz
e610719085d54282a319ec78ed9949bc6edc43e4 4544 shiro_1.2.5-1.debian.tar.xz
df36b099ca355be7c5ad2a1d78317e65565372cf 533630 libshiro-java_1.2.5-1_all.deb
Checksums-Sha256:
bb696800b6bbeb4301865b8c23776488c6b35c1d2eca09640803e003906d5129 2228
shiro_1.2.5-1.dsc
c4b50f9c1db3f272e8e665f14d641a5cf8a337bae03da5351e66f8e94255b28c 416288
shiro_1.2.5.orig.tar.xz
f8bd9d3c26db1f3015d9ba51a70c956da03fc40a62fbef75f61865bfd0497e3b 4544
shiro_1.2.5-1.debian.tar.xz
29162bd8d464c79e3e77e3ecc277591301db9f802e39afa3ed9d80864e1a48c0 533630
libshiro-java_1.2.5-1_all.deb
Files:
057c73e7f918562edb8ba46494d42115 2228 java optional shiro_1.2.5-1.dsc
5bcf23c4a79e9d7fddfb98893bd1adc1 416288 java optional shiro_1.2.5.orig.tar.xz
8bf8a6e15fbe997dac68cc0cef1b0010 4544 java optional shiro_1.2.5-1.debian.tar.xz
a672a61287834ec4417c74568c8668a0 533630 java optional
libshiro-java_1.2.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXXbF2AAoJECHSBYmXSz6WAQ4P/i+juE4kZz8i+2ItCKaQoImh
yrBK1bVlHGuQMAnMczW90jrAQExPXWVcaBAWGZIQjO/gDdIiioaSaHL01GcoiqXB
66bTf01l/wcpT4G8Cs5/XEcbprf2dpwtUnChdV6rhvMM6RkyG9KHAaYn9Qo+PohW
C8gQvk0WHJ5B2H1QSmENMHwPnWk4j+XDEb3WfjEGVYnKOtC0Y+XSu74PityYzk3f
6G0nuhX5W+zeg17kMPFvbbPFxg8PexVUmdSwVQFoo6zDoMg9i/7RUqjwAy+L/56p
6XlbSO5dNzoNTbPg+fNtwRHoEmrov+8OZpRGMoZS5BYgj+VwJnTkDvwGvNek8k8W
TKYTKkrJ6BTreGj2k3PkP8ZPJUhK0pKRcXV7j505V7QZI75Z41fhjYEb9/ONyS/2
caWD4CLLU/dG754zLuKh2cFS4NhNHdf1grIlM/7+DasM8jYu3yqIWX+JpgOdmmh0
K3XFK50CgPO0hoFJtFSp+iNWfuDRwvXz43zXrQHz2/i/4cEpdhVL9WnQJBdJS7Js
oyY52pBtu6jzTzXJCGM33VVqBr4v5idV8VnYlBy9y3Q3kgwwBQ6iLvKLZzco9qAm
N4xKqA3tpdQ6MBvz65i8ZuwChhIMv1bHSaMVKz89kDxobSFlZFUIDEuU7wBPTN7b
R/ivPXzOe2Bl5z6/F4wr
=MGMp
-----END PGP SIGNATURE-----
--- End Message ---
