src/site/content/blog/2022/06/28/apache-shiro-191-released.adoc - shiro-site - Git at Google

 ////
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 ////

 = 1.9.1 available with fix CVE-2022-32532
 Brian Demers
 :jbake-date: 2022-06-28
 :jbake-type: post
 :jbake-status: published
 :jbake-tags: blog, release
 :idprefix:
 :icons: font

 The Shiro team is pleased to announce the release of Apache Shiro version 1.9.1.
 This is a feature release for 1.x.

 This release solves 6 issues since the 1.9.1 release and is available for download now.

 == All changes

 You can learn more on link:https://issues.apache.org/jira/projects/SHIRO/versions/12351487[Jira, Release 1.9.1].

 === CVE-2022-32532
 Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

 Credit:
 Apache Shiro would like the thank 4ra1n for reporting this issue.

 === Bug

 * [https://issues.apache.org/jira/browse/SHIRO-829[SHIRO-829]] -
 beanPostProcessor and FactoryBean cause aop to fail in the same
 Configuration
 * [https://issues.apache.org/jira/browse/SHIRO-845[SHIRO-845]] -
 Dependencies for test-jars missing

 === Improvement

 * [https://issues.apache.org/jira/browse/SHIRO-871[SHIRO-871]] - ActiveDirectoryRealm - append suffix only if missing from username
 * [https://issues.apache.org/jira/browse/SHIRO-872[SHIRO-872]] - fix Reproducible Builds issues
 * [https://issues.apache.org/jira/browse/SHIRO-883[SHIRO-883]] - Add support for case insensitive regex path matching

 === Dependency upgrade

 * [https://issues.apache.org/jira/browse/SHIRO-878[SHIRO-878]] - Update Spring Dependencies to 5.2.20
 * [https://issues.apache.org/jira/browse/SHIRO-882[SHIRO-882]] - Upgrade to apache pom parent 26
 * [https://issues.apache.org/jira/browse/SHIRO-881[SHIRO-881]] - pom.xml in samples/web may lack dependency

 == Download

 Download and verification instructions are available link:/download.html[on our download page].

 == Documentation

 For more information on link:/documentation.html[Shiro, please read the documentation.]

 Enjoy!

 The Apache Shiro Team
	////
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	////

	= 1.9.1 available with fix CVE-2022-32532
	Brian Demers
	:jbake-date: 2022-06-28
	:jbake-type: post
	:jbake-status: published
	:jbake-tags: blog, release
	:idprefix:
	:icons: font

	The Shiro team is pleased to announce the release of Apache Shiro version 1.9.1.
	This is a feature release for 1.x.

	This release solves 6 issues since the 1.9.1 release and is available for download now.

	== All changes

	You can learn more on link:https://issues.apache.org/jira/projects/SHIRO/versions/12351487[Jira, Release 1.9.1].

	=== CVE-2022-32532
	Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

	Credit:
	Apache Shiro would like the thank 4ra1n for reporting this issue.

	=== Bug

	* [https://issues.apache.org/jira/browse/SHIRO-829[SHIRO-829]] -
	beanPostProcessor and FactoryBean cause aop to fail in the same
	Configuration
	* [https://issues.apache.org/jira/browse/SHIRO-845[SHIRO-845]] -
	Dependencies for test-jars missing

	=== Improvement

	* [https://issues.apache.org/jira/browse/SHIRO-871[SHIRO-871]] - ActiveDirectoryRealm - append suffix only if missing from username
	* [https://issues.apache.org/jira/browse/SHIRO-872[SHIRO-872]] - fix Reproducible Builds issues
	* [https://issues.apache.org/jira/browse/SHIRO-883[SHIRO-883]] - Add support for case insensitive regex path matching

	=== Dependency upgrade

	* [https://issues.apache.org/jira/browse/SHIRO-878[SHIRO-878]] - Update Spring Dependencies to 5.2.20
	* [https://issues.apache.org/jira/browse/SHIRO-882[SHIRO-882]] - Upgrade to apache pom parent 26
	* [https://issues.apache.org/jira/browse/SHIRO-881[SHIRO-881]] - pom.xml in samples/web may lack dependency

	== Download

	Download and verification instructions are available link:/download.html[on our download page].

	== Documentation

	For more information on link:/documentation.html[Shiro, please read the documentation.]

	Enjoy!

	The Apache Shiro Team