[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Another round of IdP patches coming
From: "Cantor, Scott via users" <users () shibboleth ! net>
Date: 2024-04-11 20:25:20
Message-ID: 7A2B3448-F8D9-44A4-B846-B5B2E0E1EFCC () osu ! edu
[Download RAW message or body]
This may or may not drop tomorrow, we're triaging something else (not serious) in V5 \
so we may hold the releases until next week depending on our conclusions.
Once they're available I will update and re-publish the previous security advisory to \
reflect the new versions as this is the same issue as that one.
-- Scott
On 4/11/24, 10:16 AM, "Cantor, Scott" <cantor.2@osu.edu <mailto:cantor.2@osu.edu>> \
wrote:
There's no point in my using the alert list on this as it's public, Spring just \
dropped another security patch for the same issue again as last time, so we have to \
do another set of IdP patches to update it.
As before, the only exposure I know of to it is in the CAS code.
I filed an issue for us to take a look at remediating out this Spring utility method \
for good since it's obvious it's never going to be trustable, but for now patching is \
the only expedient fix without risking CAS regressions.
-- Scott
--
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic