shiro - Debian Package Tracker

general

source: shiro (main)
version: 1.3.2-5
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.2-1
o-o-sec: 1.3.2-1+deb9u2
oldstable: 1.3.2-4+deb10u1
stable: 1.3.2-4+deb11u1
testing: 1.3.2-5
unstable: 1.3.2-5

versioned links

1.3.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.2-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.2-4+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.2-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.2-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libshiro-java

action needed

A new upstream version is available: 1.10.1 high

A new upstream version 1.10.1 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2022-12-01 02:46

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2019-12422: Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
CVE-2022-32532: Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Created: 2022-07-04 Last update: 2022-10-14 04:08

4 security issues in buster high

There are 4 open security issues in buster.

1 important issue:

CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

3 issues postponed or untriaged:

CVE-2019-12422: (needs triaging) Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2021-41303: (needs triaging) Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
CVE-2022-32532: (needs triaging) Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Created: 2022-10-12 Last update: 2022-10-14 04:08

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

3 issues left for the package maintainer to handle:

CVE-2019-12422: (needs triaging) Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2021-41303: (needs triaging) Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
CVE-2022-32532: (needs triaging) Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2022-10-14 04:08

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2019-12422: Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
CVE-2022-32532: Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Created: 2022-07-04 Last update: 2022-10-14 04:08

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.4.2-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit eb6d684042c00a1b935bd8157e236427db5f70f4
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:59:21 2019 +0100

    Set distribution to UNRELEASED

commit 7c278ce79b3ce052ec6a018074f900f3cf5d4b7f
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:47:04 2019 +0100

    Add a maven rule for hamcrest

commit fb31d5ec6fb5c717e170d75eec43736920a44b2f
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:28:56 2019 +0100

    Add libhamcrest-java to B-D.

commit 14cb513a8ab48fe71dad632e4b3b8d3b695de33a
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:26:29 2019 +0100

    Ignore org.apache.maven.plugins:maven-failsafe-plugin

commit 9431722e1efb566803c03b0e0b0c6a0244e78f24
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:21:44 2019 +0100

    Ignore some unsupported modules

commit 17291ba36402a64c6763cdf4e42a93c766a4bd53
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:06:31 2019 +0100

    Refresh patches for new release

commit 1d3306c6aa9d63b47add579df9e0d533427001bc
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:03:30 2019 +0100

    Update changelog

commit 41d3d9c459c19180cc9308bcb5ec6ca815d5431d
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:00:52 2019 +0100

    Declare compliance with Debian Policy 4.4.1.

commit 6513830d7dedaccfa5af4d41f54400b9d9065ac8
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:00:32 2019 +0100

    Switch to debhelper-compat = 12.

commit 918b601b534d483196e795901162fe353866f804
Merge: 8cf8783 74e76a3
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:00:17 2019 +0100

    Update upstream source from tag 'upstream/1.4.2'
    
    Update to upstream version '1.4.2'
    with Debian dir 329b1ef1be4dfb295305f4b5421a9f09bc6edfa0

commit 74e76a3a4aabd34d62b6aaff44297c853227b8da
Author: Markus Koschany <apo@debian.org>
Date:   Thu Dec 26 20:00:12 2019 +0100

    New upstream version 1.4.2

Created: 2019-12-30 Last update: 2022-11-30 15:30

lintian reports 9 warnings normal

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-09-06 18:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2022-05-11 23:25

news

[rss feed]

[2021-09-02] Accepted shiro 1.3.2-4+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
[2021-09-02] Accepted shiro 1.3.2-4+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
[2021-09-02] shiro 1.3.2-5 MIGRATED to testing (Debian testing watch)
[2021-08-27] Accepted shiro 1.3.2-5 (source) into unstable (Roberto C. Sánchez) (signed by: Roberto C. Sanchez)
[2021-08-02] Accepted shiro 1.3.2-1+deb9u2 (source) into oldstable (Roberto C. Sánchez) (signed by: Roberto C. Sanchez)
[2020-07-08] Accepted shiro 1.3.2-1+deb9u1 (source all) into oldstable (Chris Lamb)
[2020-04-19] Accepted shiro 1.2.3-1+deb8u1 (source all) into oldoldstable (Chris Lamb)
[2019-03-12] shiro 1.3.2-4 MIGRATED to testing (Debian testing watch)
[2019-03-01] Accepted shiro 1.3.2-4 (source) into unstable (Markus Koschany)
[2018-12-05] shiro 1.3.2-3 MIGRATED to testing (Debian testing watch)
[2018-11-29] Accepted shiro 1.3.2-3 (source) into unstable (Emmanuel Bourg)
[2017-08-23] shiro 1.3.2-2 MIGRATED to testing (Debian testing watch)
[2017-08-18] Accepted shiro 1.3.2-2 (source all) into unstable (tony mancill)
[2016-11-22] shiro 1.3.2-1 MIGRATED to testing (Debian testing watch)
[2016-11-16] Accepted shiro 1.3.2-1 (source all) into unstable (Emmanuel Bourg)
[2016-08-25] shiro 1.2.5-2 MIGRATED to testing (Debian testing watch)
[2016-08-19] Accepted shiro 1.2.5-2 (source all) into unstable (Emmanuel Bourg)
[2016-06-15] shiro 1.2.5-1 MIGRATED to testing (Debian testing watch)
[2016-06-12] Accepted shiro 1.2.5-1 (source all) into unstable (tony mancill)
[2015-07-27] shiro 1.2.4-1 MIGRATED to testing (Britney)
[2015-07-21] Accepted shiro 1.2.4-1 (source all) into unstable (Emmanuel Bourg)
[2014-11-04] shiro 1.2.3-1 MIGRATED to testing (Britney)
[2014-10-24] Accepted shiro 1.2.3-1 (source all) into unstable, unstable (Emmanuel Bourg)

bugs [bug history graph]

all: 5
RC: 0
I&N: 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 9)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.2-5