Source: shiro Version: 1.3.2-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for shiro. CVE-2026-43827[0]: | Default configurations of Apache Shiro have a session fixation | vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, | and 3.0.0-alpha-1. Users are recommended to upgrade to version | 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the | affected versions, when a session already exists, it is not | invalidated upon successful login, nor is a new session being | generated with a new ID. CVE-2026-43828[1]: | Default configurations of Apache Shiro send sensitive cookies in | HTTPS session without 'Secure' attribute. This issue affects | Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are | recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, | which fixes the issue. In the affected versions, Shiro-native | session manager, as well as Remember-Me manager sends JSESSIONID and | rememberMe cookies without 'secure' attribute by default. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-43827 https://www.cve.org/CVERecord?id=CVE-2026-43827 [1] https://security-tracker.debian.org/tracker/CVE-2026-43828 https://www.cve.org/CVERecord?id=CVE-2026-43828 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
