I've created an issue for the XMLSec: http://www.ja-sig.org/issues/browse/CAS-803
Cheers, Scott On Fri, Oct 2, 2009 at 1:30 PM, Marvin Addison <[email protected]>wrote: > > An enterprise architect has raised licensing concerns to me about > opensaml-1.1b.jar in CAS. It is unsupported and of unknown icensing. > > Neither of these points is correct based on Internet2 documentation. > https://spaces.internet2.edu/display/OpenSAML/OS1Status clearly states > that 1.1b is the latest and subject to the following support: > > With respect to the supported versions, "support" constitutes a > promise to address security-related bugs by applying patches to the > subversion branch. It may include additional formal releases to > incorporate these fixes, but this is NOT guaranteed. Other bug fixes > and enhancements are likely to be restricted to issues that impact our > ability to continue to support the 1.3.x branch of the Shibboleth code > base. Other issues are likely to be ignored. > > > (please refer to > https://spaces.internet2.edu/display/OpenSAML/OSTwoLicense) > > This link states that the latest OpenSAML 1.x versions are Apache > licensed. The "few early versions" that link mentions would not > include the latest 1.1b. > > > Another note of interest: CAS includes xmlsec-1.4.0 that has security > vulnerabilities. It needs to be upgraded to version 1.4.3 > > (refernce: http://www.kb.cert.org/vuls/id/466161 > > http://santuario.apache.org/Java/index.html ) > > While it's probably wise to upgrade xmlsec, it's important to note > that CAS does not use XML digital signatures in any way for the SAML > response it sends to clients, so the vulnerability would not affect > CAS currently. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
