This set of transitive dependency exclusions *might* allow bumping from
Java CAS Client 3.2.1 to 3.3.2:

https://github.com/Jasig/uPortal/pull/404

I'm concerned about potentially losing Tomcat 6 support (needs testing?)
and about how fragile this solution may be.  Still feeling like a bump to a
Java CAS Client 3.2.1.1 would be a more conservative and appropriate move
for this late in the rel-4-0-patches uPortal maintenance branch.



On Mon, Aug 11, 2014 at 10:50 PM, Andrew Petro <apetro.li...@gmail.com>
wrote:

> MA> we will consider providing official patches for [Java CAS Client 3.2
> and 3.1] lines if there is interest.
>
> TM> if [fixed versions of 3.2 and 3.1 Java CAS client versions] were
> available that would ease the patching, I'm sure.
>
> Yes, it would ease patching.  I'm finding getting a uPortal 4.0 release
> squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be
> substantially unpleasant.
>
> Andrew
>
>
>
> On Mon, Aug 11, 2014 at 4:50 PM, Tim McLaughlin <tim.mclaugh...@wwu.edu>
> wrote:
>
>> On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin.addi...@gmail.com>
>> wrote:
>>
>> >> Does this affect ALL versions of the Java client prior to 3.3.2?
>> >
>> >I did code review of the latest 3.2 and 3.1 versions and they were
>> >both vulnerable. I built one-off patches for my institution, but we
>> >will consider providing official patches for those lines if there is
>> >interest.
>>
>> So far I'm doing fact-finding before I announce to folks here, but if they
>> were available that would ease the patching, I'm sure.  Don't know how
>> much trouble that is.  :)
>>
>> For my couple of apps, I will probably take the opportunity to get
>> current.
>>
>> >
>> >> Also, is there a way to get the 3.3.2 jar without having to do a Maven
>> >> build?  Latest on the downloads site is 3.2.x.
>> >
>> >I noticed there's no download bundle as well. I imagine Scott simply
>> >hasn't gotten to it yet, but I'm sure simply mentioning it here will
>> >make it magically appear :)
>> >
>> >M
>>
>> :) As always, the work of those of you officially involved with CAS is
>> much appreciated.
>>
>> Thanks,
>> Tim
>>
>>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to