This set of transitive dependency exclusions *might* allow bumping from Java CAS Client 3.2.1 to 3.3.2:
https://github.com/Jasig/uPortal/pull/404 I'm concerned about potentially losing Tomcat 6 support (needs testing?) and about how fragile this solution may be. Still feeling like a bump to a Java CAS Client 3.2.1.1 would be a more conservative and appropriate move for this late in the rel-4-0-patches uPortal maintenance branch. On Mon, Aug 11, 2014 at 10:50 PM, Andrew Petro <apetro.li...@gmail.com> wrote: > MA> we will consider providing official patches for [Java CAS Client 3.2 > and 3.1] lines if there is interest. > > TM> if [fixed versions of 3.2 and 3.1 Java CAS client versions] were > available that would ease the patching, I'm sure. > > Yes, it would ease patching. I'm finding getting a uPortal 4.0 release > squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be > substantially unpleasant. > > Andrew > > > > On Mon, Aug 11, 2014 at 4:50 PM, Tim McLaughlin <tim.mclaugh...@wwu.edu> > wrote: > >> On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin.addi...@gmail.com> >> wrote: >> >> >> Does this affect ALL versions of the Java client prior to 3.3.2? >> > >> >I did code review of the latest 3.2 and 3.1 versions and they were >> >both vulnerable. I built one-off patches for my institution, but we >> >will consider providing official patches for those lines if there is >> >interest. >> >> So far I'm doing fact-finding before I announce to folks here, but if they >> were available that would ease the patching, I'm sure. Don't know how >> much trouble that is. :) >> >> For my couple of apps, I will probably take the opportunity to get >> current. >> >> > >> >> Also, is there a way to get the 3.3.2 jar without having to do a Maven >> >> build? Latest on the downloads site is 3.2.x. >> > >> >I noticed there's no download bundle as well. I imagine Scott simply >> >hasn't gotten to it yet, but I'm sure simply mentioning it here will >> >make it magically appear :) >> > >> >M >> >> :) As always, the work of those of you officially involved with CAS is >> much appreciated. >> >> Thanks, >> Tim >> >> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user