Hi Jerome, We would prefer to hang back from version 4 until it stabilises. We don't want to use a "bleeding edge" version in Production. It would be nice if a stable previous version was simultaneously maintained.
Regards, Ganesh On 3 Jun 2014 21:07, "Jérôme LELEU" <lel...@gmail.com> wrote: > Hi, > > We have focused our efforts on the CAS server version 4.0. So I recommend > you upgrade to this one. > If we use unappropriate versions of some libraries, we may consider fixing > that with a new 4.0.1 version. > Thanks. > Best regards, > > > 2014-06-03 8:10 GMT+02:00 Ganesh and Sashi Prasad <g.c.pra...@gmail.com>: > >> Hi, >> >> We're shortly going live with a web application protected by CAS 3.5.2. >> As part of due diligence, we had a security agency perform an audit, and >> some of their findings related to outdated and vulnerable libraries bundled >> with CAS. Other CAS users would potentially be interested in these findings. >> >> I provide an excerpt from the report below: >> >> "- Spring 3.1, Contains multiple vulnerabilities including XXE >> (CVE-2013-6429),(http://seclists.org/fulldisclosure/2013/Aug/233) >> - ESAPI-2.0GA, Contains an authentication bypass. ( >> http://lists.owasp.org/pipermail/esapi-dev/2013-September/002295.html) >> - OpenSAML-2.5.1-1, Contains XXE vulnerabilities ( >> http://www.cvedetails.com/cve/CVE-2013-6440/)" >> >> Is it possible to issue a maintenance release of 3.5 that fixes these >> vulnerabilities by upgrading the above libraries? >> >> Thanks and regards, >> Ganesh Prasad >> >> -- >> You are currently subscribed to cas-dev@lists.jasig.org as: lel...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> > > > -- > Jérôme LELEU > Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj > Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > g.c.pra...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
