MA> we will consider providing official patches for [Java CAS Client 3.2 and 3.1] lines if there is interest.
I'm still interested in a patch fixing this issue for the Java CAS Client 3.2 line specifically, since that's the CAS client version used in uPortal 4.0 and 4.1. However, I've also developed a no-dependencies just-add-a-Filter solution: https://github.com/Jasig/cas-server-security-filter/pull/6 and intend to ship (a fork of) that Filter in uPortal 4.0.15 and 4.1.1 in order to un-block the uPortal releases without having to bump those releases to Java CAS Client 3.3 under duress. https://github.com/Jasig/uPortal/pull/405 https://github.com/Jasig/uPortal/pull/406 (It might very well be appropriate to circle back and upgrade to the Java CAS Client 3.3 more calmly for other reasons. In fact, I expect to update uPortal `master` (towards uPortal 4.2) to use the Java CAS Client 3.3 version. But this Filter allows that upgrade to not be required in order to be safe from this vulnerability.) On Mon, Aug 11, 2014 at 10:50 PM, Andrew Petro <apetro.li...@gmail.com> wrote: > MA> we will consider providing official patches for [Java CAS Client 3.2 > and 3.1] lines if there is interest. > > TM> if [fixed versions of 3.2 and 3.1 Java CAS client versions] were > available that would ease the patching, I'm sure. > > Yes, it would ease patching. I'm finding getting a uPortal 4.0 release > squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be > substantially unpleasant. > > Andrew > > > > On Mon, Aug 11, 2014 at 4:50 PM, Tim McLaughlin <tim.mclaugh...@wwu.edu> > wrote: > >> On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin.addi...@gmail.com> >> wrote: >> >> >> Does this affect ALL versions of the Java client prior to 3.3.2? >> > >> >I did code review of the latest 3.2 and 3.1 versions and they were >> >both vulnerable. I built one-off patches for my institution, but we >> >will consider providing official patches for those lines if there is >> >interest. >> >> So far I'm doing fact-finding before I announce to folks here, but if they >> were available that would ease the patching, I'm sure. Don't know how >> much trouble that is. :) >> >> For my couple of apps, I will probably take the opportunity to get >> current. >> >> > >> >> Also, is there a way to get the 3.3.2 jar without having to do a Maven >> >> build? Latest on the downloads site is 3.2.x. >> > >> >I noticed there's no download bundle as well. I imagine Scott simply >> >hasn't gotten to it yet, but I'm sure simply mentioning it here will >> >make it magically appear :) >> > >> >M >> >> :) As always, the work of those of you officially involved with CAS is >> much appreciated. >> >> Thanks, >> Tim >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> apetro.li...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
