Ubuntu alert USN-7147-1 (shiro)

From:
             
 
Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
To:
             
 
ubuntu-security-announce@lists.ubuntu.com
Subject:
             
 
[USN-7147-1] Apache Shiro vulnerabilities
Date:
             
 
Tue, 10 Dec 2024 15:48:56 -0330
Message-ID:
             
 
<556e43b5-ef25-47d6-8bf5-59977d26e822@canonical.com>
==========================================================================
Ubuntu Security Notice USN-7147-1
December 10, 2024

shiro vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Apache Shiro.

Software Description:
- shiro: Powerful and easy-to-use Java security framework

Details:

It was discovered that Apache Shiro incorrectly handled path traversal when
used with other web frameworks or path rewriting. An attacker could
possibly use this issue to obtain sensitive information or administrative
privileges. This update provides the corresponding fix for Ubuntu 24.04 LTS
and Ubuntu 24.10. (CVE-2023-34478, CVE-2023-46749)

It was discovered that Apache Shiro incorrectly handled web redirects when
used together with the form authentication method. An attacker could
possibly use this issue to perform phishing attacks. This update provides
the corresponding fix for Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-46750)

It was discovered that Apache Shiro incorrectly handled requests through
servlet filtering. An attacker could possibly use this issue to obtain
administrative privileges. This update provides the corresponding fix for
Ubuntu 16.04 LTS. (CVE-2016-6802)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libshiro-java                   1.3.2-5ubuntu0.24.10.1

Ubuntu 24.04 LTS
   libshiro-java                   1.3.2-5ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   libshiro-java                   1.2.4-1ubuntu0.1~esm2
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7147-1
   CVE-2016-6802, CVE-2023-34478, CVE-2023-46749, CVE-2023-46750

Package Information:
https://launchpad.net/ubuntu/+source/shiro/1.3.2-5ubuntu0...




Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELOLXZEFYQHcSWEHiyfW2m9Ldu6sFAmdYlCAFAwAAAAAACgkQyfW2m9Ldu6sG
rA//czaIv5eFx/OSHv08mjDHW4vja3ewYBXxgZXFw338Evo/lGULxA1rAy9nSmVHKLA8DP3tl9va
6lcRf1j33vD3v96tX/KnfcmlyqUoOjl+DWVGvnRmemtWScgikmhsBhXKMsmILRzR3pvPkWRcJxMB
vReE2CpnUj3rqntpKtcdLpsPJ9fdX/HzcdeEb3M9nycoHiTMvFOK6Row6AvtCsKBE2bnSDckzw56
xp7im9IhFuuHHRrqKbgk6HMp2VaHU7FvweUwBUloxcXpGcW6w4biPdPIR+N/jmjyULuKoj+DtuiG
cwGdqvbzV//kArQEi3vegxQ82atOXifL17SixeytzfCc1R9fpjcsLs8Uhvbh4al2UbR3/ESmWv4V
Kemb/w1KtOJZTxO96tvQ2whTS43RPCJ7Jf3mZ6pn/P2QDBqp2w5nJ1FdxE3FGzz0xEbLogkkMQpf
NDmxXAoHGQnQV7t/+1QCh4osOLeUm8WdE2053oAJvVpwD+TNRvPT2VFTc/7CK4NMejWvKOlKse5Z
qufGpCuQoeRp22GWwDQCs5qxShu1KdOW8Lng5ZFZW34p2U9SFiPKuE7kgP/M3t+0AkPePkgEOwbh
f/YF7wLgtWQrP2Ic5bFzw0UPErPoEeD4v2Y8ncXobGp/amYiMNEBnvsHZhuMoJs4gJUdcIbRgjfG
xAI=
=BXEF
-----END PGP SIGNATURE-----


Attachment: None (type=text/plain)