> From: Marvin Addison > Sent: Friday, January 23, 2015 11:59 AM > > Paul, I get your frustration and I can sympathize.
Thanks. Sorry I did get a bit grumpy; I had some maintenance work scheduled for Thursday morning, and by the time I sorted out that this was not a critical security issue needing immediate attention I ended up having to postpone it <sigh>. > On balance, we felt it best to have a patched version available for > download _prior_ to the CVE getting published. Absolutely. It just would have been nice had the announcement of the patched version more accurately assessed the vulnerability and criticality thereof. > As for the CVE text itself, I have > no idea where it came from. I don't believe it came from the core dev team. It appears to have come from J. Tozo allegedly of the "Alligator Security Team". If you Google that, you find a couple of other posts attributed to that group, but the authors of those posts identified themselves with @alligatorteam.org addresses as opposed to this guy, whose address appears to be [email protected]. Interestingly, he posted a very similar "exploit" in a different software package: http://seclists.org/oss-sec/2014/q4/1130 However, that one is labeled a "Web LDAP Injection", which is a touch more accurate. (Hey J. Tozo, why isn't that issue, almost identical to this one, also an "authentication bypass"?) While it was clear you guys did not write the CVE, you did reference it in your official announcement, which gave it some implicit authority and assumption of accuracy which it clearly did not deserve. Given CAS is authentication software, typically a critical part of an identity management infrastructure, I guess I was holding you guys to a bit of a higher standard in terms of handling security issues :). This was certainly a bug, a bug deserving of being fixed, and worth an upgrade if you are affected. But it is in no way an "authentication bypass", and it hardly deserves to be scheduled as an emergency "must" update. Anyway, to end on a more positive note; CAS is great software and has been working very well for us. We much appreciate the work that goes into it and I'm sorry I was a bit harsh on you guys regarding this incident. Thanks… -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
