Your message dated Sun, 12 Jun 2016 19:19:17 +0000 with message-id <[email protected]> and subject line Bug#826653: fixed in shiro 1.2.5-1 has caused the Debian Bug report #826653, regarding CVE-2016-4437 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 826653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826653 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: shiro Severity: grave Tags: security The following was reported on oss-security. shiro doesn't seem to have any rdeps in Debian. Cheers, Moritz Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher key is used for the "remember me" feature when not explicitly configured. A request that included a specially crafted request parameter could be used to execute arbitrary code or access content that would otherwise be protected by a security constraint. Mitigation: Users should upgrade to 1.2.5 [1], ensure a secret cipher key is configured [2], or disable the "remember me" feature. [3] All binaries (.jars) are available in Maven Central already. References: [1] http://shiro.apache.org/download.html [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues [3] If using a shiro.ini, "remember me" can be disabled adding the following config line in the '[main]' section: securityManager.rememberMeManager = null
--- End Message ---
--- Begin Message ---Source: shiro Source-Version: 1.2.5-1 We believe that the bug you reported is fixed in the latest version of shiro, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <[email protected]> (supplier of updated shiro package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 12 Jun 2016 11:57:59 -0700 Source: shiro Binary: libshiro-java Architecture: source all Version: 1.2.5-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <[email protected]> Changed-By: tony mancill <[email protected]> Description: libshiro-java - Apache Shiro - Java Security Framework Closes: 797296 826653 Changes: shiro (1.2.5-1) unstable; urgency=high . * Team upload. * New upstream release. Fixes CVE-2016-4437 (Closes: #826653) * Bump Standards-Version to 3.9.8 (no changes). * Include reproducible build patch. Thank you to Chris Lamb. (Closes: #797296) Checksums-Sha1: 73795ee606e4406ce9004ec7209b3480da741d13 2228 shiro_1.2.5-1.dsc e46f46adefd5a6c8e1b3bbd5dc9a00957a4510cf 416288 shiro_1.2.5.orig.tar.xz e610719085d54282a319ec78ed9949bc6edc43e4 4544 shiro_1.2.5-1.debian.tar.xz df36b099ca355be7c5ad2a1d78317e65565372cf 533630 libshiro-java_1.2.5-1_all.deb Checksums-Sha256: bb696800b6bbeb4301865b8c23776488c6b35c1d2eca09640803e003906d5129 2228 shiro_1.2.5-1.dsc c4b50f9c1db3f272e8e665f14d641a5cf8a337bae03da5351e66f8e94255b28c 416288 shiro_1.2.5.orig.tar.xz f8bd9d3c26db1f3015d9ba51a70c956da03fc40a62fbef75f61865bfd0497e3b 4544 shiro_1.2.5-1.debian.tar.xz 29162bd8d464c79e3e77e3ecc277591301db9f802e39afa3ed9d80864e1a48c0 533630 libshiro-java_1.2.5-1_all.deb Files: 057c73e7f918562edb8ba46494d42115 2228 java optional shiro_1.2.5-1.dsc 5bcf23c4a79e9d7fddfb98893bd1adc1 416288 java optional shiro_1.2.5.orig.tar.xz 8bf8a6e15fbe997dac68cc0cef1b0010 4544 java optional shiro_1.2.5-1.debian.tar.xz a672a61287834ec4417c74568c8668a0 533630 java optional libshiro-java_1.2.5-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXXbF2AAoJECHSBYmXSz6WAQ4P/i+juE4kZz8i+2ItCKaQoImh yrBK1bVlHGuQMAnMczW90jrAQExPXWVcaBAWGZIQjO/gDdIiioaSaHL01GcoiqXB 66bTf01l/wcpT4G8Cs5/XEcbprf2dpwtUnChdV6rhvMM6RkyG9KHAaYn9Qo+PohW C8gQvk0WHJ5B2H1QSmENMHwPnWk4j+XDEb3WfjEGVYnKOtC0Y+XSu74PityYzk3f 6G0nuhX5W+zeg17kMPFvbbPFxg8PexVUmdSwVQFoo6zDoMg9i/7RUqjwAy+L/56p 6XlbSO5dNzoNTbPg+fNtwRHoEmrov+8OZpRGMoZS5BYgj+VwJnTkDvwGvNek8k8W TKYTKkrJ6BTreGj2k3PkP8ZPJUhK0pKRcXV7j505V7QZI75Z41fhjYEb9/ONyS/2 caWD4CLLU/dG754zLuKh2cFS4NhNHdf1grIlM/7+DasM8jYu3yqIWX+JpgOdmmh0 K3XFK50CgPO0hoFJtFSp+iNWfuDRwvXz43zXrQHz2/i/4cEpdhVL9WnQJBdJS7Js oyY52pBtu6jzTzXJCGM33VVqBr4v5idV8VnYlBy9y3Q3kgwwBQ6iLvKLZzco9qAm N4xKqA3tpdQ6MBvz65i8ZuwChhIMv1bHSaMVKz89kDxobSFlZFUIDEuU7wBPTN7b R/ivPXzOe2Bl5z6/F4wr =MGMp -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
