| //// |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| //// |
| |
| = 1.10.0 available with fix CVE-2022-40664 |
| Brian Demers |
| :jbake-date: 2022-10-10 00:00:00 |
| :jbake-type: post |
| :jbake-status: published |
| :jbake-tags: blog, release |
| :idprefix: |
| :icons: font |
| |
| The Shiro team is pleased to announce the release of Apache Shiro version 1.10.0. |
| This is a feature release for 1.x. |
| |
| This release solves 7 issues since the 1.9.1 release and is available for download now. |
| |
| == All changes |
| |
| You can learn more on https://issues.apache.org/jira/projects/SHIRO/versions/12351946[Jira, Release 1.10.0]. |
| |
| === CVE-2022-40664 |
| Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. |
| |
| Credit: |
| Apache Shiro would like to thank Y4tacker for reporting this issue. |
| |
| === Bug |
| |
| * [https://issues.apache.org/jira/browse/SHIRO-512[SHIRO-512]] - Race condition in Shiro's web container session timeout handling |
| * [https://issues.apache.org/jira/browse/SHIRO-887[SHIRO-887]] - FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s) |
| |
| === Improvement |
| |
| * [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - fix source jar Reproducible Builds issue |
| * [https://issues.apache.org/jira/browse/SHIRO-884[SHIRO-884]] - fix source jar Reproducible Builds issue |
| * [https://issues.apache.org/jira/browse/SHIRO-885[SHIRO-885]] - Use OWASP Java Encoder with OSGi manifest |
| * [https://issues.apache.org/jira/browse/SHIRO-890[SHIRO-890]] - Avoid another proxy creator when @EnableAspectJAutoProxy enabled |
| * [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - Allow for direct configuration of ShiroFilter through WebEnvironment |
| |
| === Dependency upgrade |
| |
| * Many dependency updates |
| |
| === Behavior Changes |
| |
| As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests. |
| |
| This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true` |
| |
| == Download |
| |
| Download and verification instructions are available link:/download.html[on our download page]. |
| |
| == Documentation |
| |
| For more information on link:/documentation.html[Shiro, please read the documentation.] |
| |
| Enjoy! |
| |
| The Apache Shiro Team |