Update shiro to 1.12.0 for CVE-2023-34478 (#7884)

overmeulen · web-flow · commit d1958146c12a · 2023-09-23T20:43:40.000-07:00
diff --git a/boms/geode-all-bom/src/test/resources/expected-pom.xml b/boms/geode-all-bom/src/test/resources/expected-pom.xml
@@ -330,7 +330,7 @@
       <dependency>
         <groupId>org.apache.shiro</groupId>
         <artifactId>shiro-core</artifactId>
-        <version>1.10.0</version>
+        <version>1.12.0</version>
       </dependency>
       <dependency>
         <groupId>org.assertj</groupId>
diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -41,7 +41,7 @@ class DependencyConstraints {
     deps.put("jgroups.version", "3.6.14.Final")
     deps.put("log4j.version", "2.17.2")
     deps.put("micrometer.version", "1.9.1")
-    deps.put("shiro.version", "1.10.0")
+    deps.put("shiro.version", "1.12.0")
     deps.put("slf4j-api.version", "1.7.32")
     deps.put("jboss-modules.version", "1.11.0.Final")
     deps.put("jackson.version", "2.13.3")
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -1047,15 +1047,15 @@ lib/mx4j-remote-3.0.2.jar
 lib/mx4j-tools-3.0.1.jar
 lib/ra.jar
 lib/rmiio-2.1.2.jar
-lib/shiro-cache-1.10.0.jar
-lib/shiro-config-core-1.10.0.jar
-lib/shiro-config-ogdl-1.10.0.jar
-lib/shiro-core-1.10.0.jar
-lib/shiro-crypto-cipher-1.10.0.jar
-lib/shiro-crypto-core-1.10.0.jar
-lib/shiro-crypto-hash-1.10.0.jar
-lib/shiro-event-1.10.0.jar
-lib/shiro-lang-1.10.0.jar
+lib/shiro-cache-1.12.0.jar
+lib/shiro-config-core-1.12.0.jar
+lib/shiro-config-ogdl-1.12.0.jar
+lib/shiro-core-1.12.0.jar
+lib/shiro-crypto-cipher-1.12.0.jar
+lib/shiro-crypto-core-1.12.0.jar
+lib/shiro-crypto-hash-1.12.0.jar
+lib/shiro-event-1.12.0.jar
+lib/shiro-lang-1.12.0.jar
 lib/slf4j-api-1.7.32.jar
 lib/slf4j-api-1.7.36.jar
 lib/snappy-0.4.jar
diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -47,8 +47,8 @@ antlr-2.7.7.jar
 istack-commons-runtime-4.0.1.jar
 jaxb-impl-2.3.2.jar
 commons-validator-1.7.jar
-shiro-core-1.10.0.jar
-shiro-config-ogdl-1.10.0.jar
+shiro-core-1.12.0.jar
+shiro-config-ogdl-1.12.0.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -69,13 +69,13 @@ jna-platform-5.11.0.jar
 jna-5.11.0.jar
 snappy-0.4.jar
 jgroups-3.6.14.Final.jar
-shiro-cache-1.10.0.jar
-shiro-crypto-hash-1.10.0.jar
-shiro-crypto-cipher-1.10.0.jar
-shiro-config-core-1.10.0.jar
-shiro-event-1.10.0.jar
-shiro-crypto-core-1.10.0.jar
-shiro-lang-1.10.0.jar
+shiro-cache-1.12.0.jar
+shiro-crypto-hash-1.12.0.jar
+shiro-crypto-cipher-1.12.0.jar
+shiro-config-core-1.12.0.jar
+shiro-event-1.12.0.jar
+shiro-crypto-core-1.12.0.jar
+shiro-lang-1.12.0.jar
 slf4j-api-1.7.36.jar
 spring-beans-5.3.21.jar
 javax.activation-api-1.2.0.jar
diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -1,8 +1,8 @@
 spring-web-5.3.21.jar
-shiro-event-1.10.0.jar
-shiro-crypto-hash-1.10.0.jar
-shiro-crypto-cipher-1.10.0.jar
-shiro-config-core-1.10.0.jar
+shiro-event-1.12.0.jar
+shiro-crypto-hash-1.12.0.jar
+shiro-crypto-cipher-1.12.0.jar
+shiro-config-core-1.12.0.jar
 commons-digester-2.1.jar
 commons-validator-1.7.jar
 spring-jcl-5.3.21.jar
@@ -23,11 +23,11 @@ geode-cq-0.0.0.jar
 geode-old-client-support-0.0.0.jar
 javax.servlet-api-3.1.0.jar
 jgroups-3.6.14.Final.jar
-shiro-cache-1.10.0.jar
+shiro-cache-1.12.0.jar
 httpcore-4.4.15.jar
 spring-beans-5.3.21.jar
 lucene-queries-6.6.6.jar
-shiro-core-1.10.0.jar
+shiro-core-1.12.0.jar
 HikariCP-4.0.3.jar
 slf4j-api-1.7.32.jar
 geode-http-service-0.0.0.jar
@@ -63,7 +63,7 @@ jetty-io-9.4.47.v20220610.jar
 geode-deployment-legacy-0.0.0.jar
 commons-beanutils-1.9.4.jar
 log4j-core-2.17.2.jar
-shiro-crypto-core-1.10.0.jar
+shiro-crypto-core-1.12.0.jar
 jaxb-api-2.3.1.jar
 geode-unsafe-0.0.0.jar
 spring-shell-1.2.0.RELEASE.jar
@@ -73,14 +73,14 @@ log4j-jul-2.17.2.jar
 HdrHistogram-2.1.12.jar
 jackson-annotations-2.13.3.jar
 micrometer-core-1.9.1.jar
-shiro-config-ogdl-1.10.0.jar
+shiro-config-ogdl-1.12.0.jar
 geode-log4j-0.0.0.jar
 lucene-analyzers-phonetic-6.6.6.jar
 spring-context-5.3.21.jar
 jetty-security-9.4.47.v20220610.jar
 geode-logging-0.0.0.jar
 commons-io-2.11.0.jar
-shiro-lang-1.10.0.jar
+shiro-lang-1.12.0.jar
 javax.transaction-api-1.3.jar
 geode-common-0.0.0.jar
 antlr-2.7.7.jar
