Merge pull request #54 from apache/news-1.5.2
Add news snippet and security-report for Shiro 1.5.2
diff --git a/index.html b/index.html
index 8383545..a92ce6c 100644
--- a/index.html
+++ b/index.html
@@ -25,6 +25,10 @@
<div class="panel-body">
<div>
+ <a href="news.html">Release and CVE</a>
+ <p><small>1.5.2 available with fix CVE-2020-1957 (2020-3-23)</small></p>
+ </div>
+ <div>
<a href="news.html">Release</a>
<p><small>1.5.1 available! (2020-2-23)</small></p>
</div>
@@ -36,10 +40,6 @@
<a href="news.html">Release and CVE</a>
<p><small>1.4.2 available with fix CVE-2019-12422 (2019-11-18)</small></p>
</div>
- <div>
- <a href="news.html">Release</a>
- <p><small>1.4.1 available! (2019-5-1)</small></p>
- </div>
</div>
</div>
diff --git a/news.html b/news.html
index 7dde9ab..58c1296 100644
--- a/news.html
+++ b/news.html
@@ -14,6 +14,36 @@
<div class="blog-post-listing">
<div class="logo-heading-block">
+ <a class="blogHeading" id="1.5.2-released" href="#1.5.2-released">Apache Shiro 1.5.2 Released</a>
+ </div>
+
+ <div class="news-content">
+ <p>The Shiro team is pleased to announce the release of Apache Shiro version 1.5.2. This is a feature release for 1.x.</p>
+
+ <p>This release includes 3 issues resolved since the 1.5.1 release and is available for Download now.</p>
+
+ <p>Of Note:
+ <ul>
+ <li>Fixes authentication bypass issue: <a href="security-reports.html">CVE-2020-1957</a></li>
+ <li>FirstSuccessfulStrategy will short circuit correctly now.</li>
+ </ul>
+
+ You can learn more on <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12346483" target="_blank">Jira</a>
+ </p>
+
+ <p>Release binaries (.jars) are also available through Maven Central and source bundles through Apache distribution mirrors.</p>
+
+ <p>For more information on <a href="documentation.html">Shiro, please read the documentation.</a></p>
+
+ <p>Enjoy!</p>
+
+ <p>The Apache Shiro Team</p>
+ </div>
+</div>
+
+<div class="blog-post-listing">
+
+ <div class="logo-heading-block">
<a class="blogHeading" id="1.5.1-released" href="#1.5.1-released">Apache Shiro 1.5.1 Released</a>
</div>
diff --git a/security-reports.md b/security-reports.md
index 2b571c1..f039de7 100644
--- a/security-reports.md
+++ b/security-reports.md
@@ -25,6 +25,9 @@
Apache Shiro Vulnerability Reports
----------------------------------
+###[CVE-2020-1957](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1957)
+Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
+
###[CVE-2019-12422](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12422)
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.