[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: RE: Ex: Re: SSPCPP-961
From: "Paul B. Henson" <henson () cpp ! edu>
Date: 2023-03-09 2:04:18
Message-ID: PH0PR01MB75237C87842D8049BB630BB9D2B59 () PH0PR01MB7523 ! prod ! exchangelabs ! com
[Download RAW message or body]
> From: Cantor, Scott
> Sent: Wednesday, March 8, 2023 5:22 AM
>
> That's why I didn't want to do it. The intent as Rod said was not to do that on
> upgrades, so please file a bug.
Done.
> I simply didn't have the time to keep arguing with the guy about it, but I did
> warn him that at the first sign of trouble, it was getting pulled.
Doesn't Jira have a "CLOSED WONTFIX" option :)? Dunno. It's not like the installation \
instructions didn't call it out, but on the other hand, how many Windows \
administrators are going to go back and tune up ACLs by hand after they double-click \
the installer?
If random authenticated users can in general access your server you're in a bad \
situation to begin with. The primary thing I could see happening with this is if \
somebody got a remote compromise with low privileges they could potentially escalate \
by doing this, but on the other hand, depending on the patch level of the server, \
they would have quite the menu of bundled vulnerabilities to choose from.
--
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic