That exclusion list is alarming. Not that this is "great" solution, but I wonder if most of those would be excluded automatically by excluding the SAML jar.
Nonetheless we should definitely look at the effort involved in a 3.2.1.1 release as we want to maximize the number of people who upgrade. On Tue, Aug 12, 2014 at 3:42 PM, Andrew Petro <apetro.li...@gmail.com> wrote: > This set of transitive dependency exclusions *might* allow bumping from > Java CAS Client 3.2.1 to 3.3.2: > > https://github.com/Jasig/uPortal/pull/404 > > I'm concerned about potentially losing Tomcat 6 support (needs testing?) > and about how fragile this solution may be. Still feeling like a bump to a > Java CAS Client 3.2.1.1 would be a more conservative and appropriate move > for this late in the rel-4-0-patches uPortal maintenance branch. > > > > On Mon, Aug 11, 2014 at 10:50 PM, Andrew Petro <apetro.li...@gmail.com> > wrote: > >> MA> we will consider providing official patches for [Java CAS Client 3.2 >> and 3.1] lines if there is interest. >> >> TM> if [fixed versions of 3.2 and 3.1 Java CAS client versions] were >> available that would ease the patching, I'm sure. >> >> Yes, it would ease patching. I'm finding getting a uPortal 4.0 release >> squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be >> substantially unpleasant. >> >> Andrew >> >> >> >> On Mon, Aug 11, 2014 at 4:50 PM, Tim McLaughlin <tim.mclaugh...@wwu.edu> >> wrote: >> >>> On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin.addi...@gmail.com> >>> wrote: >>> >>> >> Does this affect ALL versions of the Java client prior to 3.3.2? >>> > >>> >I did code review of the latest 3.2 and 3.1 versions and they were >>> >both vulnerable. I built one-off patches for my institution, but we >>> >will consider providing official patches for those lines if there is >>> >interest. >>> >>> So far I'm doing fact-finding before I announce to folks here, but if >>> they >>> were available that would ease the patching, I'm sure. Don't know how >>> much trouble that is. :) >>> >>> For my couple of apps, I will probably take the opportunity to get >>> current. >>> >>> > >>> >> Also, is there a way to get the 3.3.2 jar without having to do a Maven >>> >> build? Latest on the downloads site is 3.2.x. >>> > >>> >I noticed there's no download bundle as well. I imagine Scott simply >>> >hasn't gotten to it yet, but I'm sure simply mentioning it here will >>> >make it magically appear :) >>> > >>> >M >>> >>> :) As always, the work of those of you officially involved with CAS is >>> much appreciated. >>> >>> Thanks, >>> Tim >>> >>> > -- > You are currently subscribed to cas-user@lists.jasig.org as: > scott.battag...@gmail.com > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
