Hi, We're shortly going live with a web application protected by CAS 3.5.2. As part of due diligence, we had a security agency perform an audit, and some of their findings related to outdated and vulnerable libraries bundled with CAS. Other CAS users would potentially be interested in these findings.
I provide an excerpt from the report below: "- Spring 3.1, Contains multiple vulnerabilities including XXE (CVE-2013-6429),(http://seclists.org/fulldisclosure/2013/Aug/233) - ESAPI-2.0GA, Contains an authentication bypass. ( http://lists.owasp.org/pipermail/esapi-dev/2013-September/002295.html) - OpenSAML-2.5.1-1, Contains XXE vulnerabilities ( http://www.cvedetails.com/cve/CVE-2013-6440/)" Is it possible to issue a maintenance release of 3.5 that fixes these vulnerabilities by upgrading the above libraries? Thanks and regards, Ganesh Prasad -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
