On Sat, Jan 24, 2015 at 02:43:59AM -0800, Yuri Ticini wrote:
Congratulations buddies, you managed to turn a simple release
announcement containing a relevant security fix into one of the biggest
bikeshedding episodes I've seen recently
Bikeshedding? Really? A member of a mailing list
Oh man, are you still here insisting with this bullshit? How old are you,
fourteen?
Let’s get this straight: the researcher you tried to humiliate did a great job
finding a vulnerability and privately reporting it to the CAS PMC, as pointed
out by Jérôme, then wrote a CVE - that has been
Guys --
Can we please kill this thread?
The project has acknowledged that there are opportunities to improve our
reaction and messaging around security concerns and I'm confident we'll
incorporate the learnings from this thread if there are any issues in the
future.
I encourage individuals who
On Sat, Jan 24, 2015 at 08:17:08PM -0800, Yuri Ticini wrote:
Oh man, are you still here insisting with this bullshit? How old are
you, fourteen?
[...]
Does that mean you're above all these people? If that's
the case, why you're keeping your silly sysadmin job? Go for the gold
Hi,
I planned not to interfere in this discussion, but seriously we should stop
it now.
I made the announcement and I reviewed and agreed to the CVE: so I'll take
my full part of responsability if things are not clear. I'd like to thank
J. Tozo for the time he took on this and the right approach
Thanks Jérôme, finally someone reasonably stopped this unfortunate conversation.
Congratulations buddies, you managed to turn a simple release announcement
containing a relevant security fix into one of the biggest bikeshedding
episodes I’ve seen recently, just because of an annoyed fella that
Hey dude, I'm sorry if it get you scared, panicked etc. I was not aware of
the issue wasn't present in the fast bind ldap authentication because I
discovered it in my own deployment, a year ago. I used other ways to
prevent it for happen here (WAF+fail2ban). I thought reasonable to write a
small
From: J. Tozo
Sent: Friday, January 23, 2015 10:28 AM
I was not aware of the issue wasn't present in the fast bind ldap
authentication
because I discovered it in my own deployment, a year ago.
[...]
I thought reasonable to write a small report about it, the
way i see it could hit my own
You know what you don't do for a minor weakness? Publish a CVE with a
title including allows remote attackers to bypass LDAP authentication via
crafted wildcards.
Paul, I get your frustration and I can sympathize. The CVE appeared to come
at us from outside the project, and its eminent
From: Marvin Addison
Sent: Friday, January 23, 2015 11:59 AM
Paul, I get your frustration and I can sympathize.
Thanks. Sorry I did get a bit grumpy; I had some maintenance work scheduled for
Thursday morning, and by the time I sorted out that this was not a critical
security issue needing
So you saying if I bruteforce a CAS server with a common password list and
achieve an authentication within the user h*. that is not a authentication
bypass? nice, in your world maybe.
You can cry, kicking around, panic, call me incompetent or whatever ad
hominem you want, but this still is an
From: J. Tozo
Sent: Friday, January 23, 2015 3:35 PM
http://www-01.ibm.com/support/docview.wss?uid=swg21682946
Nice try (just to be polite), but sorry, fail.
The title of the IBM bulletin is Brute-force attack in ClearQuest Web. The
detailed description is IBM Rational ClearQuest could
http://www-01.ibm.com/support/docview.wss?uid=swg21682946
*CVE ID: *CVE-2014-3101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3101
*Description: *IBM Rational ClearQuest could allow a remote attacker to
bypass security restrictions, caused by an error in the login form. An
attacker
the
vulnerability (CVE-2015-1169) ?
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Thursday, January 22, 2015 5:06 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS server release v3.5.3
Hi,
I'm proud to announce the new release
Hi,
I'm proud to announce the new release 3.5.3 of the CAS server. It's
available on the Maven Central repository:
http://search.maven.org/#artifactdetails%7Corg.jasig.cas%7Ccas-server-webapp%7C3.5.3%7Cwar
.
Here are the release notes: https://github.com/Jasig/cas/releases/tag/v3.5.3
.
You must
Message-
From: Paul B. Henson [mailto:hen...@csupomona.edu]
Sent: Thursday, January 22, 2015 4:41 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS server release v3.5.3
From: Andrew Morgan
Sent: Thursday, January 22, 2015 12:42 PM
You aren't effected when you use
From: Andrew Morgan
Sent: Thursday, January 22, 2015 12:42 PM
You aren't effected when you use FastBindLdapAuthenticationHandler.
Thanks for confirming my initial analysis.
It's hard to call this a vulnerability, which is probably why they didn't
release it as such. More like, here's CAS
: [cas-user] CAS server release v3.5.3
From: Andrew Morgan
Sent: Thursday, January 22, 2015 12:42 PM
You aren't effected when you use FastBindLdapAuthenticationHandler.
Thanks for confirming my initial analysis.
It's hard to call this a vulnerability, which is probably why they
didn't
-user] CAS server release v3.5.3
Hi,
I'm proud to announce the new release 3.5.3 of the CAS server. It's
available on the Maven Central repository:
http://search.maven.org/#artifactdetails%7Corg.jasig.cas%7Ccas-server-webapp%7C3.5.3%7Cwar
.
Here are the release notes:
https://github.com
From: J. Tozo
Sent: Thursday, January 22, 2015 1:06 PM
Its can be considered a minor weakness because it makes easier to
successfully
You know what you don't do for a minor weakness? Publish a CVE with a title
including allows remote attackers to bypass LDAP authentication via crafted
From: Jérôme LELEU
Sent: Thursday, January 22, 2015 6:49 AM
Yes indeed, you should upgrade to close the vulnerability if you use LDAP
authentication.
You know, if you're going to announce a holy crap upgrade now security issue,
it would be nice to get a little advance notice that it's
On Thu, 22 Jan 2015, Paul B. Henson wrote:
From: Jérôme LELEU Sent: Thursday, January 22, 2015 6:49 AM
Yes indeed, you should upgrade to close the vulnerability if you use
LDAP authentication.
You know, if you're going to announce a holy crap upgrade now security
issue, it would be nice
Hi,
Its can be considered a minor weakness because it makes easier to
successfully perpetrate a bruteforce attack. Using common passwords and
guessing the username using the wildcards.
A valid username and a password is required to you simulate if you system
have or not this vulnerability.
23 matches
Mail list logo