could any one help to check this? Thanks
zh0122 <[email protected]> 于2021年4月22日周四 下午3:17写道: > Hello, > > As the Shiro has a bug CVE-2020-17523: >> >> Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a >> specially crafted HTTP request may cause an authentication bypass. > > > We use the CDH platform which integrating Shiro in the lib, but we has no > source code of the CDH platform. > For security reasons, we plan to upgrade the shiro-*.jar in the CDH libs. > > - Is there any suggestions about it? > - Could I only replace the jars in the lib directory? > - Is there any API change between 1.2.3 and 1.7.1 (1.4.0 and 1.7.1)? > - If I replace the 1.7.1 jars into the directory, is thers any > compatibility issue? > > Below is the list of Shiro in the installed CDH platform. > >> >> /opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/jars/shiro-core-1.2.3.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-cache-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-core-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-ogdl-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-core-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-cipher-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-core-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-hash-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-event-1.4.0.jar >> >> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-lang-1.4.0.jar >> > > Thanks > BRs >
