Bug#1140001: shiro: CVE-2026-43827 CVE-2026-43828
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 14 14:51:36 BST 2026
Source: shiro
Version: 1.3.2-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for shiro.
CVE-2026-43827[0]:
| Default configurations of Apache Shiro have a session fixation
| vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0,
| and 3.0.0-alpha-1. Users are recommended to upgrade to version
| 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the
| affected versions, when a session already exists, it is not
| invalidated upon successful login, nor is a new session being
| generated with a new ID.
CVE-2026-43828[1]:
| Default configurations of Apache Shiro send sensitive cookies in
| HTTPS session without 'Secure' attribute. This issue affects
| Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are
| recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later,
| which fixes the issue. In the affected versions, Shiro-native
| session manager, as well as Remember-Me manager sends JSESSIONID and
| rememberMe cookies without 'secure' attribute by default.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43827
https://www.cve.org/CVERecord?id=CVE-2026-43827
[1] https://security-tracker.debian.org/tracker/CVE-2026-43828
https://www.cve.org/CVERecord?id=CVE-2026-43828
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list