On Sat, Jan 24, 2015 at 01:08:46AM -0800, Jérôme LELEU wrote: > I planned not to interfere in this discussion, but seriously we should > stop it now.
Sorry for the noise. Assuming the other party gives up trying to defend his inaccurate CVE, I've got nothing else to say about it. > I made the announcement and I reviewed and agreed to the CVE: so I'll > take my full part of responsability if things are not clear. You really agreed to the characterization of this as an "authentication bypass"? > No "critical" word. Maybe I should have said "minor".  I did not say > "you should upgrade NOW!". "Must" has quite a different connotation than "should". And while your announcement didn't contain "critical", the CVE referenced claimed there was an "authentication bypass", and what sysadmin isn't going to take "security fix" "must update" and "authentication bypass" as anything but a critical issue? > I think "LDAP login with wildcards" is a reasonable description. I agree. With your announcement exactly as it was, and a CVE entitled more along the lines of "LDAP login with wildcards allows authentication with partial username match" there wouldn't have been such an inaccurate sense of urgency. > I don't think we can always imagine all use cases and data topology, so > one must be careful and upgrade to 3.5.3, even it's not in a hurry. Yes, it's generally a best practice to run the most recent stable version of a software package, after appropriate review of changes and testing, and deployment scheduled for a regular maintenance window. Which we will likely do. The issue was, intentionally or not, the combination of the announcement and the inaccurate CVE gave an impression that this was an important update that needed attention ASAP, possibly even requiring an emergency out of window update. Am I really the only one here that read the announcement, looked up the CVE, and initially came to that inaccurate assessment? > we haven't created a CVE, I'm sure someone would have blame us for > that. CVE's are given to issues minor or critical, so I've no complaints about the CVE per se, just that it was poorly written. > But, above all, I'd like to remind you about the great efforts and > the good will of the volunteers of the CAS community. We deserve > more clemency (we are not all in the same timezones and are not all > fluent in English) and courtesy. I believe I already mentioned in another message in this thread how much we appreciate the CAS software and the efforts of the developers. While from a constructive criticism perspective the official CAS announcement could have been handed better, the primary issue was the misleading CVE title. I probably could have dealt with this a bit more diplomatically, the interruption to my planned schedule and fallout therefrom put me in a bit of a bad mood, and for that I apologize. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
