Dear Apache Shiro Community, The Shiro team is pleased to announce our first release as an Apache Top Level Project, Apache Shiro version 1.1.0.
This release includes a number of bug fixes, new features and one important security vulnerability fix (noted at the end of this email) - it is recommended that users upgrade to 1.1.0 as soon as possible. This release is available from http://shiro.apache.org/download.html. All binaries are available in Maven Central already. Please note that most of the Apache mirrors have been updated to reflect the source distribution, but some mirrors may not be updated yet. If a mirror download link does not work, please try another or wait another 12 to 24 hours. Release Notes: Release Notes - Shiro - Version 1.1.0 ** Bug * [SHIRO-172] - Missing SVN properties * [SHIRO-177] - Wron SimpleCookie expires locale * [SHIRO-181] - Typo in IniShiroFilter javadoc * [SHIRO-182] - SimpleSession cannot be deserialized * [SHIRO-183] - Unable to correctly extract the Initialization Vector or ciphertext * [SHIRO-185] - Shiro Annotations in Spring apps: annotations on method implementations not handled when using Spring's DefaultAutoProxyCreator * [SHIRO-190] - PortFilter not accepting custom port * [SHIRO-199] - Session Validation thread does not notify SessionListeners or cleans orphans * [SHIRO-201] - SessionsSecurityManager destroy() doesn't call super.destroy() ** Improvement * [SHIRO-175] - Improve Set of permission and role checks * [SHIRO-176] - AuthenticationInfo instances should be able to return stored salt * [SHIRO-180] - Upgrade 3rd party dependencies to latest stable versions * [SHIRO-186] - Credentials Hashing: AuthenticationInfo should be able to return a salt for credentials comparison * [SHIRO-191] - Change all StringBuffer usages to StringBuilder * [SHIRO-196] - Change any remaining usages of StringBuffer to StringBuilder where possible * [SHIRO-204] - Deprecate subclasses of HashedCredentialsMatcher and cleanup Hash implementations ** New Feature * [SHIRO-27] - OSGi support * [SHIRO-166] - Complete and realistic webapplication example (but without Spring) * [SHIRO-173] - Make the HttpMethodPermissionFilter as the 'rest' filter in the pool of default filters * [SHIRO-189] - Make existing Shiro .jars OSGi bundles ** Task * [SHIRO-168] - Remove all @Author tags * [SHIRO-209] - Remove Atlassian Crowd support module from source release until license compatibility can be verified Enjoy! The Apache Shiro team ------- Below this line is the CVE report concerning the discovered security vulnerability fixed in 1.1.0. We advise all users to upgrade to 1.1.0 as soon as possible. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2010-3863: Apache Shiro information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Shiro 1.0.0-incubating The unsupported JSecurity 0.9.x versions are also affected Description: Shiro's path-based filter chain mechanism did not normalize request paths before performing path-matching logic. The result is that Shiro filter chain matching logic was susceptible to potential path traversal attacks. Mitigation: All users should upgrade to 1.1.0 Example: For a shiro.ini [urls] section entry: /account/** = authc, ... /** = anon This states that all requests to the /account/** pages should be authenticated (as indicated by the 'authc' (authentication) filter) in the chain definition. A malicious request could be sent: GET /./account/index.jsp HTTP/1.1 And access would be granted because the path was not normalized to /account/index.jsp before evaluating the path for a match. Credit: This issue was discovered by Luke Taylor of SpringSource. References: http://shiro.apache.org/configuration.html Les Hazlewood -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6 NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6 +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/ pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa 7MKcZauaP3nXPuAYVZBc =fr+j -----END PGP SIGNATURE-----
