[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Another round of IdP patches coming
From:       "Cantor, Scott via users" <users () shibboleth ! net>
Date:       2024-04-11 20:25:20
Message-ID: 7A2B3448-F8D9-44A4-B846-B5B2E0E1EFCC () osu ! edu
[Download RAW message or body]

This may or may not drop tomorrow, we're triaging something else (not serious) in V5 \
so we may hold the releases until next week depending on our conclusions.

Once they're available I will update and re-publish the previous security advisory to \
reflect the new versions as this is the same issue as that one.

-- Scott

On 4/11/24, 10:16 AM, "Cantor, Scott" <cantor.2@osu.edu <mailto:cantor.2@osu.edu>> \
wrote:


There's no point in my using the alert list on this as it's public, Spring just \
dropped another security patch for the same issue again as last time, so we have to \
do another set of IdP patches to update it.


As before, the only exposure I know of to it is in the CAS code.


I filed an issue for us to take a look at remediating out this Spring utility method \
for good since it's obvious it's never going to be trustable, but for now patching is \
the only expedient fix without risking CAS regressions.


-- Scott 







-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]