Ganesh, Availability of a maintenance release is mostly predicated on deployer interest and someone one to do the work. If you are going to more forward on a 3.5.x release with updated libraries a pull request would be the best way to encourage a release.
Best, Bill On Tue, Jun 3, 2014 at 2:10 AM, Ganesh and Sashi Prasad <g.c.pra...@gmail.com> wrote: > Hi, > > We're shortly going live with a web application protected by CAS 3.5.2. As > part of due diligence, we had a security agency perform an audit, and some > of their findings related to outdated and vulnerable libraries bundled with > CAS. Other CAS users would potentially be interested in these findings. > > I provide an excerpt from the report below: > > "- Spring 3.1, Contains multiple vulnerabilities including XXE > (CVE-2013-6429),(http://seclists.org/fulldisclosure/2013/Aug/233) > - ESAPI-2.0GA, Contains an authentication bypass. > (http://lists.owasp.org/pipermail/esapi-dev/2013-September/002295.html) > - OpenSAML-2.5.1-1, Contains XXE vulnerabilities > (http://www.cvedetails.com/cve/CVE-2013-6440/)" > > Is it possible to issue a maintenance release of 3.5 that fixes these > vulnerabilities by upgrading the above libraries? > > Thanks and regards, > Ganesh Prasad > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
