> An enterprise architect has raised licensing concerns to me about > opensaml-1.1b.jar in CAS. It is unsupported and of unknown icensing.
Neither of these points is correct based on Internet2 documentation. https://spaces.internet2.edu/display/OpenSAML/OS1Status clearly states that 1.1b is the latest and subject to the following support: With respect to the supported versions, "support" constitutes a promise to address security-related bugs by applying patches to the subversion branch. It may include additional formal releases to incorporate these fixes, but this is NOT guaranteed. Other bug fixes and enhancements are likely to be restricted to issues that impact our ability to continue to support the 1.3.x branch of the Shibboleth code base. Other issues are likely to be ignored. > (please refer to https://spaces.internet2.edu/display/OpenSAML/OSTwoLicense) This link states that the latest OpenSAML 1.x versions are Apache licensed. The "few early versions" that link mentions would not include the latest 1.1b. > Another note of interest: CAS includes xmlsec-1.4.0 that has security > vulnerabilities. It needs to be upgraded to version 1.4.3 > (refernce: http://www.kb.cert.org/vuls/id/466161 > http://santuario.apache.org/Java/index.html ) While it's probably wise to upgrade xmlsec, it's important to note that CAS does not use XML digital signatures in any way for the SAML response it sends to clients, so the vulnerability would not affect CAS currently. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
