Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Apache
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Apache
ID: USN-7147-1
Distribution: Ubuntu
Plattformen: Ubuntu 16.04 LTS, Ubuntu 24.04 LTS, Ubuntu 24.10
Datum: Di, 10. Dezember 2024, 22:20
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34478
https://launchpad.net/ubuntu/+source/shiro/1.3.2-5ubuntu0.24.10.1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6802
Applikationen: Apache

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============5144533814275683973==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------97hkLAv6ZDNc1imMhrtbqwVg"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------97hkLAv6ZDNc1imMhrtbqwVg
Content-Type: multipart/mixed;
 boundary="------------hkRzfVtAz02q0NRyd7MrDD1n";
 protected-headers="v1"
From: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <556e43b5-ef25-47d6-8bf5-59977d26e822@canonical.com>
Subject: [USN-7147-1] Apache Shiro vulnerabilities

--------------hkRzfVtAz02q0NRyd7MrDD1n
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7147-1
December 10, 2024

shiro vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Apache Shiro.

Software Description:
- shiro: Powerful and easy-to-use Java security framework

Details:

It was discovered that Apache Shiro incorrectly handled path traversal when
used with other web frameworks or path rewriting. An attacker could
possibly use this issue to obtain sensitive information or administrative
privileges. This update provides the corresponding fix for Ubuntu 24.04 LTS
and Ubuntu 24.10. (CVE-2023-34478, CVE-2023-46749)

It was discovered that Apache Shiro incorrectly handled web redirects when
used together with the form authentication method. An attacker could
possibly use this issue to perform phishing attacks. This update provides
the corresponding fix for Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-46750)

It was discovered that Apache Shiro incorrectly handled requests through
servlet filtering. An attacker could possibly use this issue to obtain
administrative privileges. This update provides the corresponding fix for
Ubuntu 16.04 LTS. (CVE-2016-6802)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libshiro-java                   1.3.2-5ubuntu0.24.10.1

Ubuntu 24.04 LTS
   libshiro-java                   1.3.2-5ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   libshiro-java                   1.2.4-1ubuntu0.1~esm2
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7147-1
   CVE-2016-6802, CVE-2023-34478, CVE-2023-46749, CVE-2023-46750

Package Information:
https://launchpad.net/ubuntu/+source/shiro/1.3.2-5ubuntu0.24.10.1


--------------hkRzfVtAz02q0NRyd7MrDD1n--

--------------97hkLAv6ZDNc1imMhrtbqwVg
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELOLXZEFYQHcSWEHiyfW2m9Ldu6sFAmdYlCAFAwAAAAAACgkQyfW2m9Ldu6sG
rA//czaIv5eFx/OSHv08mjDHW4vja3ewYBXxgZXFw338Evo/lGULxA1rAy9nSmVHKLA8DP3tl9va
6lcRf1j33vD3v96tX/KnfcmlyqUoOjl+DWVGvnRmemtWScgikmhsBhXKMsmILRzR3pvPkWRcJxMB
vReE2CpnUj3rqntpKtcdLpsPJ9fdX/HzcdeEb3M9nycoHiTMvFOK6Row6AvtCsKBE2bnSDckzw56
xp7im9IhFuuHHRrqKbgk6HMp2VaHU7FvweUwBUloxcXpGcW6w4biPdPIR+N/jmjyULuKoj+DtuiG
cwGdqvbzV//kArQEi3vegxQ82atOXifL17SixeytzfCc1R9fpjcsLs8Uhvbh4al2UbR3/ESmWv4V
Kemb/w1KtOJZTxO96tvQ2whTS43RPCJ7Jf3mZ6pn/P2QDBqp2w5nJ1FdxE3FGzz0xEbLogkkMQpf
NDmxXAoHGQnQV7t/+1QCh4osOLeUm8WdE2053oAJvVpwD+TNRvPT2VFTc/7CK4NMejWvKOlKse5Z
qufGpCuQoeRp22GWwDQCs5qxShu1KdOW8Lng5ZFZW34p2U9SFiPKuE7kgP/M3t+0AkPePkgEOwbh
f/YF7wLgtWQrP2Ic5bFzw0UPErPoEeD4v2Y8ncXobGp/amYiMNEBnvsHZhuMoJs4gJUdcIbRgjfG
xAI=
=BXEF
-----END PGP SIGNATURE-----

--------------97hkLAv6ZDNc1imMhrtbqwVg--


--===============5144533814275683973==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============5144533814275683973==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung