lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAH9eYVpxTNZUpKuM2eRCe3-Jcy1L_8rLm_s9coVA+dQdSLwxAw@mail.gmail.com>
Date: Fri, 3 Jun 2016 11:46:10 -0400
From: Brian Demers <bdemers@...che.org>
To: bugtraq@...urityfocus.com
Subject: [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted
request parameter could be used to execute arbitrary code or access
content that would otherwise be protected by a security constraint.

Mitigation:
Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

References:
[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ