But Jim's original question remains: why was 5.2.x suddenly removed from the support list 6 days ago when it was originally not scheduled to hit EOL until November 27th?
If there's no way to fix it and an upgrade is required, then say that. But just removing it from the list of supported releases 60 days before its support is scheduled to end, with no notice and no explanation, is not helpful. -- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • [email protected] On Tue, Oct 1, 2019 at 9:55 AM Riley Wills <[email protected]> wrote: > This thread doesn't appear to relate to the current vulnerability. A CVE > does exist at https://www.cvedetails.com/cve/CVE-2019-10754/ which might > help answer some questions. Seems like the path forward for 5.2.x > deployments is to upgrade to 5.3.12.1 or a newer version. > > On Tuesday, October 1, 2019 at 8:49:37 AM UTC-5, Jim Mulvey wrote: >> >> Hi David, based on this thread: >> https://groups.google.com/a/apereo.org/forum/#!topic/cas-appsec-public/zXqxDN9rB8A >> I believe the solution for those on the 5.2 branch is to upgrade to 5.2.7 >> Also, that thread suggests that if you're using an alternative MFA >> solution (we're using Duo) then we're unaffected. >> >> I'm not the authority on this, but that's what I'm piecing together. >> - Jim >> >> On Tuesday, October 1, 2019 at 9:24:11 AM UTC-4, David Curry wrote: >>> >>> Bump. We have the same questions that Jim asked... >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR • INFORMATION SECURITY & PRIVACY* >>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 646 909-4728 • [email protected] >>> >>> >>> On Mon, Sep 30, 2019 at 11:16 AM Jim Mulvey <[email protected]> wrote: >>> >>>> Hello, I see that CAS 5.2.x was removed from the Maintenace Policy (and >>>> thus considered EOL) 5 days ago, although it was previously set to go EOL >>>> on November 27th, 2019. >>>> What does this vulnerability mean to those of us running 5.2.x ? Are we >>>> advised to upgrade to 5.3.x immediately? Why did support for 5.2.x end so >>>> abruptly? >>>> >>>> On Monday, September 30, 2019 at 5:29:43 AM UTC-4, Misagh Moayyed wrote: >>>>> >>>>> Please see https://apereo.github.io/2019/09/27/numvulndisc/ >>>>> -- >>>>> *- Misagh* >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Developer" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "CAS Developer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CA%2Bd9XAPnxhhezt4zs5Vf2VmxvZEuFTtAxjc%2BmSJu-g%3DW6ph%3DxA%40mail.gmail.com.
