commit 6533fb201504b323c634c99e5a122fdcad38e95c
author François Papon <fpapon@apache.org> Wed Mar 25 17:19:44 2020 +0100
committer GitHub <noreply@github.com> Wed Mar 25 17:19:44 2020 +0100
tree 06328b88dc13af45ab31477a55311c8b85bcba4b
parent 6716e8ad09c90121ef43234a485f6af08beaf7d8
parent d165123587fe52f6898c58314626341d29412277

Merge pull request #54 from apache/news-1.5.2

Add news snippet and security-report for Shiro 1.5.2

index.html

diff --git a/index.html b/index.html
index 8383545..a92ce6c 100644
--- a/index.html
+++ b/index.html
@@ -25,6 +25,10 @@
 
                 <div class="panel-body">
                     <div>
+                        <a href="news.html">Release and CVE</a>
+                        <p><small>1.5.2 available with fix CVE-2020-1957 (2020-3-23)</small></p>
+                    </div>
+                    <div>
                         <a href="news.html">Release</a>
                         <p><small>1.5.1 available! (2020-2-23)</small></p>
                     </div>
@@ -36,10 +40,6 @@
                         <a href="news.html">Release and CVE</a>
                         <p><small>1.4.2 available with fix CVE-2019-12422 (2019-11-18)</small></p>
                     </div>
-                    <div>
-                        <a href="news.html">Release</a>
-                        <p><small>1.4.1 available! (2019-5-1)</small></p>
-                    </div>
                 </div>
             </div>
 

news.html

diff --git a/news.html b/news.html
index 7dde9ab..58c1296 100644
--- a/news.html
+++ b/news.html
@@ -14,6 +14,36 @@
 <div class="blog-post-listing">
 
     <div class="logo-heading-block">
+        <a class="blogHeading" id="1.5.2-released" href="#1.5.2-released">Apache Shiro 1.5.2 Released</a>
+    </div>
+
+    <div class="news-content">
+        <p>The Shiro team is pleased to announce the release of Apache Shiro version 1.5.2. This is a feature release for 1.x.</p>
+
+        <p>This release includes 3 issues resolved since the 1.5.1 release and is available for Download now.</p>
+
+        <p>Of Note:
+        <ul>
+            <li>Fixes authentication bypass issue: <a href="security-reports.html">CVE-2020-1957</a></li>
+            <li>FirstSuccessfulStrategy will short circuit correctly now.</li>
+        </ul>
+
+        You can learn more on <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12346483" target="_blank">Jira</a>
+        </p>
+
+        <p>Release binaries (.jars) are also available through Maven Central and source bundles through Apache distribution mirrors.</p>
+
+        <p>For more information on <a href="documentation.html">Shiro, please read the documentation.</a></p>
+
+        <p>Enjoy!</p>
+
+        <p>The Apache Shiro Team</p>
+    </div>
+</div>
+
+<div class="blog-post-listing">
+
+    <div class="logo-heading-block">
         <a class="blogHeading" id="1.5.1-released" href="#1.5.1-released">Apache Shiro 1.5.1 Released</a>
     </div>
 

security-reports.md

diff --git a/security-reports.md b/security-reports.md
index 2b571c1..f039de7 100644
--- a/security-reports.md
+++ b/security-reports.md
@@ -25,6 +25,9 @@
 Apache Shiro Vulnerability Reports
 ----------------------------------
 
+###[CVE-2020-1957](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1957)
+Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
+
 ###[CVE-2019-12422](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12422)
 Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.