Release Announcement: CAS Security Patches
18 views
Skip to first unread message
Misagh
Sep 30, 2019, 5:29:41 AM9/30/19
to CAS Community, CAS Developer, cas-an...@apereo.org
Jim Mulvey
Sep 30, 2019, 11:16:20 AM9/30/19
to CAS Community, cas...@apereo.org, cas-an...@apereo.org
Hello, I see that CAS 5.2.x was removed from the Maintenace Policy (and thus considered EOL) 5 days ago, although it was previously set to go EOL on November 27th, 2019.
What does this vulnerability mean to those of us running 5.2.x ? Are we advised to upgrade to 5.3.x immediately? Why did support for 5.2.x end so abruptly?
David Curry
Oct 1, 2019, 9:24:11 AM10/1/19
to Jim Mulvey, CAS Community, CAS Developer, cas-an...@apereo.org
Bump. We have the same questions that Jim asked...
--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org.
Jim Mulvey
Oct 1, 2019, 9:49:33 AM10/1/19
to CAS Developer, jmulv...@gmail.com, cas-...@apereo.org, cas-an...@apereo.org
Hi David, based on this thread: https://groups.google.com/a/apereo.org/forum/#!topic/cas-appsec-public/zXqxDN9rB8A
I believe the solution for those on the 5.2 branch is to upgrade to 5.2.7
Also, that thread suggests that if you're using an alternative MFA solution (we're using Duo) then we're unaffected.
I'm not the authority on this, but that's what I'm piecing together.
- Jim
On Tuesday, October 1, 2019 at 9:24:11 AM UTC-4, David Curry wrote:
Bump. We have the same questions that Jim asked...--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
On Mon, Sep 30, 2019 at 11:16 AM Jim Mulvey <jmulv...@gmail.com> wrote:
Hello, I see that CAS 5.2.x was removed from the Maintenace Policy (and thus considered EOL) 5 days ago, although it was previously set to go EOL on November 27th, 2019.--What does this vulnerability mean to those of us running 5.2.x ? Are we advised to upgrade to 5.3.x immediately? Why did support for 5.2.x end so abruptly?
On Monday, September 30, 2019 at 5:29:43 AM UTC-4, Misagh Moayyed wrote:
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas...@apereo.org.
Riley Wills
Oct 1, 2019, 9:51:24 AM10/1/19
to cas-...@apereo.org, Jim Mulvey, CAS Developer, cas-an...@apereo.org
Check out https://apereo.github.io/2019/09/27/numvulndisc/ that does mention "previous CAS versions are considered EOL and are advised to upgrade.”
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPGbdUFuKi3%3DJVE4cfwmiZ7tT9zpG8%2B14-Wj2cqGyUN%2Bg%40mail.gmail.com.
Riley Wills
Oct 1, 2019, 9:55:38 AM10/1/19
to CAS Community, cas...@apereo.org, jmulv...@gmail.com, cas-an...@apereo.org
This thread doesn't appear to relate to the current vulnerability. A CVE does exist at https://www.cvedetails.com/cve/CVE-2019-10754/ which might help answer some questions. Seems like the path forward for 5.2.x deployments is to upgrade to 5.3.12.1 or a newer version.
David Curry
Oct 1, 2019, 10:02:14 AM10/1/19
to Riley Wills, CAS Community, CAS Developer, Jim Mulvey, cas-an...@apereo.org
But Jim's original question remains: why was 5.2.x suddenly removed from the support list 6 days ago when it was originally not scheduled to hit EOL until November 27th?
If there's no way to fix it and an upgrade is required, then say that. But just removing it from the list of supported releases 60 days before its support is scheduled to end, with no notice and no explanation, is not helpful.
--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org.
Riley Wills
Oct 1, 2019, 10:06:22 AM10/1/19
to CAS Community, rjw...@acu.edu, cas...@apereo.org, jmulv...@gmail.com, cas-an...@apereo.org
I see your point now. You would expect a patch to 5.2.x to address this vulnerability if this version has not reached its EOL.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org.
Reply all
Reply to author
Forward
0 new messages