| //// |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| //// |
| |
| = 1.9.1 available with fix CVE-2022-32532 |
| Brian Demers |
| :jbake-date: 2022-06-28 |
| :jbake-type: post |
| :jbake-status: published |
| :jbake-tags: blog, release |
| :idprefix: |
| :icons: font |
| |
| The Shiro team is pleased to announce the release of Apache Shiro version 1.9.1. |
| This is a feature release for 1.x. |
| |
| This release solves 6 issues since the 1.9.1 release and is available for download now. |
| |
| == All changes |
| |
| You can learn more on link:https://issues.apache.org/jira/projects/SHIRO/versions/12351487[Jira, Release 1.9.1]. |
| |
| === CVE-2022-32532 |
| Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. |
| |
| Credit: |
| Apache Shiro would like the thank 4ra1n for reporting this issue. |
| |
| === Bug |
| |
| * [https://issues.apache.org/jira/browse/SHIRO-829[SHIRO-829]] - |
| beanPostProcessor and FactoryBean cause aop to fail in the same |
| Configuration |
| * [https://issues.apache.org/jira/browse/SHIRO-845[SHIRO-845]] - |
| Dependencies for test-jars missing |
| |
| === Improvement |
| |
| * [https://issues.apache.org/jira/browse/SHIRO-871[SHIRO-871]] - ActiveDirectoryRealm - append suffix only if missing from username |
| * [https://issues.apache.org/jira/browse/SHIRO-872[SHIRO-872]] - fix Reproducible Builds issues |
| * [https://issues.apache.org/jira/browse/SHIRO-883[SHIRO-883]] - Add support for case insensitive regex path matching |
| |
| === Dependency upgrade |
| |
| * [https://issues.apache.org/jira/browse/SHIRO-878[SHIRO-878]] - Update Spring Dependencies to 5.2.20 |
| * [https://issues.apache.org/jira/browse/SHIRO-882[SHIRO-882]] - Upgrade to apache pom parent 26 |
| * [https://issues.apache.org/jira/browse/SHIRO-881[SHIRO-881]] - pom.xml in samples/web may lack dependency |
| |
| == Download |
| |
| Download and verification instructions are available link:/download.html[on our download page]. |
| |
| == Documentation |
| |
| For more information on link:/documentation.html[Shiro, please read the documentation.] |
| |
| Enjoy! |
| |
| The Apache Shiro Team |