2010 November - Board report for Apache Shiro

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- We are proud to announce that we have made our first release as a
  TLP, Apache Shiro version 1.1.0 on November 1st, 2010.

Community & Project:
 - No new committers or PMC members
 - Community interaction and user list traffic has grown significantly
   since becoming a TLP, with over 400 emails on the user and dev
   mailing lists last month.  This is more than double the average
   monthly traffic we had while in incubation, showing
   continued growth and a healthy community as a TLP.
 - We experienced our first security vulnerability CVE issue.  It wasn't
   handled as appropriately as it should have, with the issue becoming
   public (in a roundabout way) before it should have been made known.
   We dealt with the issue, fixed the source code, and very shortly
   thereafter released version 1.1.0.  This was a bit difficult as this
   CVE issue overlapped with the other issues required for 1.1 and because
   we had not yet released a TLP version, we couldn't simply create a
   point release and just 'get it out the door' quickly.  Instead we
   needed to coordinate the fix in the context of our first TLP
   release, which was a little more challenging.  In any event,
   it was a great learning experience, and we are confident any
   further CVE issues will be handled appropriately.