I've created ZEPPELIN-4472 for this On Mon, Dec 2, 2019 at 4:25 PM Jeff Zhang <zjf...@gmail.com> wrote:
> I think it make sense to upgrade shiro, could you create a ticket for it. > And welcome to create a PR to make contribution to Zeppelin. > > 한병익 <hiasinc...@gmail.com> 于2019年12月2日周一 下午9:38写道: > > > According to Apache Shiro official page's security-reports, there has > > vulnerability when using the default “Remember Me” configuration, cookies > > could be susceptible to a padding attack. > > > > Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be > > updated to 1.4.2. > > > > cf) https://shiro.apache.org/security-reports.html > > > > > -- > Best Regards > > Jeff Zhang > -- With best wishes, Alex Ott http://alexott.net/ Twitter: alexott_en (English), alexott (Russian)