Debian 10267 Published by

A shiro security update has been released for Debian GNU/Linux 9 LTS to address two security issues.



DLA 2273-1: shiro security update



Package : shiro
Version : 1.3.2-1+deb9u1
CVE IDs : CVE-2020-1957 CVE-2020-11989
Debian Bug : #955018

It was discovered that there was two issues in shiro, a security
framework for Java application:

* CVE-2020-1957: Fix a path-traversal issue where a
specially-crafted request could cause an authentication bypass.

* CVE-2020-11989: Fix an encoding issue introduced in the handling
of the previous CVE-2020-1957 path-traversal issue which itself
could have also caused an authentication bypass.

For Debian 9 "Stretch", these issues have been fixed in shiro version
1.3.2-1+deb9u1.

We recommend that you upgrade your shiro packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS