src/site/content/blog/2022/10/10/2022/apache-shiro-1101-released.adoc - shiro-site - Git at Google

 ////
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 ////

 = 1.10.0 available with fix CVE-2022-40664
 Brian Demers
 :jbake-date: 2022-10-10 00:00:00
 :jbake-type: post
 :jbake-status: published
 :jbake-tags: blog, release
 :idprefix:
 :icons: font

 The Shiro team is pleased to announce the release of Apache Shiro version 1.10.0.
 This is a feature release for 1.x.

 This release solves 7 issues since the 1.9.1 release and is available for download now.

 == All changes

 You can learn more on https://issues.apache.org/jira/projects/SHIRO/versions/12351946[Jira, Release 1.10.0].

 === CVE-2022-40664
 Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

 Credit:
 Apache Shiro would like to thank Y4tacker for reporting this issue.

 === Bug

 * [https://issues.apache.org/jira/browse/SHIRO-512[SHIRO-512]] - Race condition in Shiro's web container session timeout handling
 * [https://issues.apache.org/jira/browse/SHIRO-887[SHIRO-887]] - FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s)

 === Improvement

 * [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - fix source jar Reproducible Builds issue
 * [https://issues.apache.org/jira/browse/SHIRO-884[SHIRO-884]] - fix source jar Reproducible Builds issue
 * [https://issues.apache.org/jira/browse/SHIRO-885[SHIRO-885]] - Use OWASP Java Encoder with OSGi manifest
 * [https://issues.apache.org/jira/browse/SHIRO-890[SHIRO-890]] - Avoid another proxy creator when @EnableAspectJAutoProxy enabled
 * [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - Allow for direct configuration of ShiroFilter through WebEnvironment

 === Dependency upgrade

 * Many dependency updates

 === Behavior Changes

 As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests.

 This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true`

 == Download

 Download and verification instructions are available link:/download.html[on our download page].

 == Documentation

 For more information on link:/documentation.html[Shiro, please read the documentation.]

 Enjoy!

 The Apache Shiro Team
	////
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	////

	= 1.10.0 available with fix CVE-2022-40664
	Brian Demers
	:jbake-date: 2022-10-10 00:00:00
	:jbake-type: post
	:jbake-status: published
	:jbake-tags: blog, release
	:idprefix:
	:icons: font

	The Shiro team is pleased to announce the release of Apache Shiro version 1.10.0.
	This is a feature release for 1.x.

	This release solves 7 issues since the 1.9.1 release and is available for download now.

	== All changes

	You can learn more on https://issues.apache.org/jira/projects/SHIRO/versions/12351946[Jira, Release 1.10.0].

	=== CVE-2022-40664
	Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

	Credit:
	Apache Shiro would like to thank Y4tacker for reporting this issue.

	=== Bug

	* [https://issues.apache.org/jira/browse/SHIRO-512[SHIRO-512]] - Race condition in Shiro's web container session timeout handling
	* [https://issues.apache.org/jira/browse/SHIRO-887[SHIRO-887]] - FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s)

	=== Improvement

	* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - fix source jar Reproducible Builds issue
	* [https://issues.apache.org/jira/browse/SHIRO-884[SHIRO-884]] - fix source jar Reproducible Builds issue
	* [https://issues.apache.org/jira/browse/SHIRO-885[SHIRO-885]] - Use OWASP Java Encoder with OSGi manifest
	* [https://issues.apache.org/jira/browse/SHIRO-890[SHIRO-890]] - Avoid another proxy creator when @EnableAspectJAutoProxy enabled
	* [https://issues.apache.org/jira/browse/SHIRO-891[SHIRO-891]] - Allow for direct configuration of ShiroFilter through WebEnvironment

	=== Dependency upgrade

	* Many dependency updates

	=== Behavior Changes

	As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests.

	This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true`

	== Download

	Download and verification instructions are available link:/download.html[on our download page].

	== Documentation

	For more information on link:/documentation.html[Shiro, please read the documentation.]

	Enjoy!

	The Apache Shiro Team