> > You know what you don't do for a "minor weakness"? Publish a CVE with a > title including "allows remote attackers to bypass LDAP authentication via > crafted wildcards".
Paul, I get your frustration and I can sympathize. The CVE appeared to come at us from outside the project, and its eminent publishing prompted the release and arguably poorly crafted security advisory from us. You can chalk that up to haste on our part. On balance, we felt it best to have a patched version available for download _prior_ to the CVE getting published. As for the CVE text itself, I have no idea where it came from. I don't believe it came from the core dev team. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
