search

ausaccessfed / aaf-shib-ext

Shibboleth extension for auEduPersonSharedToken
Apache License 2.0
0 stars 0 forks source link

Upgrade to Shibboleth 3.4.3 #11

Open rianniello opened 7 years ago

rianniello commented 7 years ago

There has been a vulnerability identified in the apache commons collection library https://www.kb.cert.org/vuls/id/576313 https://opensource.googleblog.com/2017/03/operation-rosehub.html

The version that we're using in this project is a transient dependency — we never use it directly. However, the threat is still there, as we'll have a JVM running with this library!

Hopefully upgrading the Shibboleth IdP dependency in this project will use a safe version of the library (version 3.2.2 and version 4.1).

Here is a log of the dependencies for this project:

runtime - Runtime dependencies for source set 'main'.
+--- net.shibboleth.idp:idp-attribute-api:3.2.0
|    +--- org.opensaml:opensaml-core:3.2.0
|    |    +--- joda-time:joda-time:2.9
|    |    +--- net.shibboleth.utilities:java-support:7.2.0
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    +--- com.google.guava:guava:18.0
|    |    |    +--- joda-time:joda-time:2.9
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- commons-codec:commons-codec:1.10
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- org.opensaml:opensaml-profile-api:3.2.0
|    |    +--- org.opensaml:opensaml-core:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0
|    |    |    +--- org.opensaml:opensaml-core:3.2.0 (*)
|    |    |    +--- joda-time:joda-time:2.9
|    |    |    +--- org.apache.httpcomponents:httpclient:4.3.6
|    |    |    |    +--- org.apache.httpcomponents:httpcore:4.3.3
|    |    |    |    \--- commons-codec:commons-codec:1.6 -> 1.10
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- commons-codec:commons-codec:1.10
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- org.opensaml:opensaml-saml-api:3.2.0
|    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0
|    |    |    +--- org.opensaml:opensaml-security-api:3.2.0
|    |    |    |    +--- org.opensaml:opensaml-core:3.2.0 (*)
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    |    +--- org.apache.santuario:xmlsec:2.0.5
|    |    |    |    |    +--- org.slf4j:slf4j-api:1.7.12
|    |    |    |    |    +--- org.codehaus.woodstox:woodstox-core-asl:4.4.1
|    |    |    |    |    |    +--- javax.xml.stream:stax-api:1.0-2
|    |    |    |    |    |    \--- org.codehaus.woodstox:stax2-api:3.1.4
|    |    |    |    |    \--- commons-codec:commons-codec:1.10
|    |    |    |    +--- org.cryptacular:cryptacular:1.0
|    |    |    |    |    \--- org.bouncycastle:bcprov-jdk15on:1.50 -> 1.53
|    |    |    |    +--- org.bouncycastle:bcprov-jdk15on:1.53
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- org.opensaml:opensaml-soap-api:3.2.0
|    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    +--- org.apache.httpcomponents:httpclient:4.3.6 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-storage-api:3.2.0
|    |    |    +--- joda-time:joda-time:2.9
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- commons-codec:commons-codec:1.10
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- commons-codec:commons-codec:1.10
|    +--- com.google.code.findbugs:jsr305:3.0.1
|    +--- com.google.guava:guava:18.0
|    +--- org.codehaus.janino:janino:2.7.8
|    |    \--- org.codehaus.janino:commons-compiler:2.7.8
|    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    +--- javax.mail:mail:1.4.7
|    |    \--- javax.activation:activation:1.1
|    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    +--- org.springframework:spring-context-support:4.2.3.RELEASE
|    |    +--- org.springframework:spring-beans:4.2.3.RELEASE
|    |    |    \--- org.springframework:spring-core:4.2.3.RELEASE
|    |    |         \--- commons-logging:commons-logging:1.2
|    |    +--- org.springframework:spring-context:4.2.3.RELEASE
|    |    |    +--- org.springframework:spring-aop:4.2.3.RELEASE
|    |    |    |    +--- aopalliance:aopalliance:1.0
|    |    |    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    |    |    \--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    |    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    |    +--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    |    |    \--- org.springframework:spring-expression:4.2.3.RELEASE
|    |    |         \--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    |    \--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    \--- org.slf4j:slf4j-api:1.7.12
+--- net.shibboleth.idp:idp-attribute-resolver-api:3.2.0
|    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-authn-api:3.2.0
|    |    +--- net.shibboleth.idp:idp-profile-api:3.2.0
|    |    |    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-storage-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0 (*)
|    |    |    +--- org.springframework.webflow:spring-webflow:2.4.2.RELEASE
|    |    |    |    +--- opensymphony:ognl:2.6.11
|    |    |    |    +--- org.springframework.webflow:spring-binding:2.4.2.RELEASE
|    |    |    |    |    +--- opensymphony:ognl:2.6.11
|    |    |    |    |    +--- org.springframework:spring-beans:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    +--- org.springframework:spring-context:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    +--- org.springframework:spring-core:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    \--- org.springframework:spring-expression:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework.webflow:spring-js:2.4.2.RELEASE
|    |    |    |    |    +--- org.springframework.webflow:spring-js-resources:2.4.2.RELEASE
|    |    |    |    |    +--- org.springframework:spring-beans:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    +--- org.springframework:spring-context:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    +--- org.springframework:spring-core:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |    +--- org.springframework:spring-web:4.2.0.RELEASE -> 4.2.3.RELEASE
|    |    |    |    |    |    +--- org.springframework:spring-aop:4.2.3.RELEASE (*)
|    |    |    |    |    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    |    |    |    |    +--- org.springframework:spring-context:4.2.3.RELEASE (*)
|    |    |    |    |    |    \--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    |    |    |    |    \--- org.springframework:spring-webmvc:4.2.0.RELEASE
|    |    |    |    |         +--- org.springframework:spring-beans:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |         +--- org.springframework:spring-context:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |         +--- org.springframework:spring-core:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |         +--- org.springframework:spring-expression:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    |         \--- org.springframework:spring-web:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework:spring-beans:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework:spring-context:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework:spring-core:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework:spring-expression:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    +--- org.springframework:spring-web:4.2.0.RELEASE -> 4.2.3.RELEASE (*)
|    |    |    |    \--- org.springframework:spring-webmvc:4.2.0.RELEASE (*)
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    +--- com.google.guava:guava:18.0
|    |    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- javax.mail:mail:1.4.7 (*)
|    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- org.opensaml:opensaml-storage-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    +--- org.ldaptive:ldaptive:1.0.7
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- javax.json:javax.json-api:1.0
|    |    +--- joda-time:joda-time:2.9
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    +--- org.slf4j:slf4j-api:1.7.12
|    |    \--- org.glassfish:javax.json:1.0.4
|    +--- net.shibboleth.idp:idp-core:3.2.0
|    |    +--- joda-time:joda-time:2.9
|    |    +--- com.beust:jcommander:1.48
|    |    +--- org.springframework:spring-core:4.2.3.RELEASE (*)
|    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    +--- org.springframework:spring-context:4.2.3.RELEASE (*)
|    |    +--- org.springframework:spring-web:4.2.3.RELEASE (*)
|    |    +--- ch.qos.logback:logback-classic:1.1.3
|    |    |    +--- ch.qos.logback:logback-core:1.1.3
|    |    |    \--- org.slf4j:slf4j-api:1.7.7 -> 1.7.12
|    |    +--- ch.qos.logback:logback-core:1.1.3
|    |    +--- net.shibboleth.ext:spring-extensions:5.2.0
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    +--- com.google.guava:guava:18.0
|    |    |    +--- org.apache.httpcomponents:httpclient:4.3.6 (*)
|    |    |    +--- org.apache.httpcomponents:httpclient-cache:4.3.6
|    |    |    |    \--- org.apache.httpcomponents:httpclient:4.3.6 (*)
|    |    |    +--- joda-time:joda-time:2.9
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    +--- com.google.code.findbugs:jsr305:3.0.1
|    +--- com.google.guava:guava:18.0
|    +--- org.codehaus.janino:janino:2.7.8 (*)
|    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    +--- javax.mail:mail:1.4.7 (*)
|    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    \--- org.slf4j:slf4j-api:1.7.12
+--- net.shibboleth.idp:idp-attribute-resolver-impl:3.2.0
|    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-attribute-resolver-api:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-authn-api:3.2.0 (*)
|    +--- org.apache.velocity:velocity:1.7
|    |    +--- commons-collections:commons-collections:3.2.1
|    |    \--- commons-lang:commons-lang:2.4
|    +--- commons-codec:commons-codec:1.10
|    +--- joda-time:joda-time:2.9
|    +--- org.ldaptive:ldaptive:1.0.7 (*)
|    +--- javax.json:javax.json-api:1.0
|    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    +--- com.google.code.findbugs:jsr305:3.0.1
|    +--- com.google.guava:guava:18.0
|    +--- org.codehaus.janino:janino:2.7.8 (*)
|    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    +--- javax.mail:mail:1.4.7 (*)
|    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    \--- org.slf4j:slf4j-api:1.7.12
+--- net.shibboleth.idp:idp-attribute-resolver-spring:3.2.0
|    +--- net.shibboleth.idp:idp-core:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-attribute-resolver-api:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-attribute-resolver-impl:3.2.0 (*)
|    +--- net.shibboleth.idp:idp-saml-api:3.2.0
|    |    +--- net.shibboleth.idp:idp-profile-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-attribute-resolver-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-session-api:3.2.0
|    |    |    +--- net.shibboleth.idp:idp-authn-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-storage-api:3.2.0 (*)
|    |    |    +--- javax.json:javax.json-api:1.0
|    |    |    +--- joda-time:joda-time:2.9
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    +--- com.google.guava:guava:18.0
|    |    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- javax.mail:mail:1.4.7 (*)
|    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    |    +--- org.slf4j:slf4j-api:1.7.12
|    |    |    \--- org.glassfish:javax.json:1.0.4
|    |    +--- net.shibboleth.idp:idp-authn-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-core:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-security-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0 (*)
|    |    +--- org.springframework.webflow:spring-webflow:2.4.2.RELEASE (*)
|    |    +--- joda-time:joda-time:2.9
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- net.shibboleth.idp:idp-saml-impl:3.2.0
|    |    +--- net.shibboleth.liberty:idwsfconsumer:1.0.0
|    |    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-xmlsec-impl:3.2.0
|    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0 (*)
|    |    |    |    +--- org.opensaml:opensaml-security-impl:3.2.0
|    |    |    |    |    +--- org.opensaml:opensaml-security-api:3.2.0 (*)
|    |    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    +--- commons-lang:commons-lang:2.4
|    |    |    +--- org.slf4j:log4j-over-slf4j:1.7.12
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- net.shibboleth.idp:idp-saml-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-authn-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-profile-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-core:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-xmlsec-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-storage-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-security-api:3.2.0 (*)
|    |    +--- net.shibboleth.ext:spring-extensions:5.2.0 (*)
|    |    +--- org.springframework.webflow:spring-webflow:2.4.2.RELEASE (*)
|    |    +--- joda-time:joda-time:2.9
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    +--- org.slf4j:slf4j-api:1.7.12
|    |    \--- org.glassfish:javax.json:1.0.4
|    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    +--- org.opensaml:opensaml-security-api:3.2.0 (*)
|    +--- com.mchange:c3p0:0.9.2.1
|    |    \--- com.mchange:mchange-commons-java:0.2.3.4
|    +--- org.ldaptive:ldaptive:1.0.7 (*)
|    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    +--- org.springframework:spring-context:4.2.3.RELEASE (*)
|    +--- net.shibboleth.idp:idp-schema:3.2.0
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    \--- org.slf4j:slf4j-api:1.7.12
|    +--- net.shibboleth.idp:idp-profile-spring:3.2.0
|    |    +--- net.shibboleth.idp:idp-core:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-saml-api:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-saml-impl:3.2.0 (*)
|    |    +--- net.shibboleth.idp:idp-profile-impl:3.2.0
|    |    |    +--- net.shibboleth.idp:idp-core:3.2.0 (*)
|    |    |    +--- net.shibboleth.idp:idp-profile-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.idp:idp-attribute-resolver-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.idp:idp-attribute-filter-api:3.2.0
|    |    |    |    +--- net.shibboleth.idp:idp-attribute-api:3.2.0 (*)
|    |    |    |    +--- net.shibboleth.idp:idp-core:3.2.0 (*)
|    |    |    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    |    +--- com.google.guava:guava:18.0
|    |    |    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    |    +--- javax.mail:mail:1.4.7 (*)
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    +--- net.shibboleth.idp:idp-authn-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.idp:idp-session-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    |    +--- net.shibboleth.ext:spring-extensions:5.2.0 (*)
|    |    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    |    +--- org.springframework.webflow:spring-webflow:2.4.2.RELEASE (*)
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    |    +--- com.google.guava:guava:18.0
|    |    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- javax.mail:mail:1.4.7 (*)
|    |    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- net.shibboleth.ext:spring-extensions:5.2.0 (*)
|    |    +--- org.springframework:spring-beans:4.2.3.RELEASE (*)
|    |    +--- org.springframework:spring-context:4.2.3.RELEASE (*)
|    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-saml-impl:3.2.0
|    |    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-saml-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-storage-api:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-security-impl:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-xmlsec-impl:3.2.0 (*)
|    |    |    +--- org.opensaml:opensaml-soap-impl:3.2.0
|    |    |    |    +--- org.opensaml:opensaml-soap-api:3.2.0 (*)
|    |    |    |    +--- org.opensaml:opensaml-profile-api:3.2.0 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    |    +--- org.apache.velocity:velocity:1.7 (*)
|    |    |    +--- org.apache.httpcomponents:httpclient:4.3.6 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    |    +--- commons-codec:commons-codec:1.10
|    |    |    \--- org.slf4j:slf4j-api:1.7.12
|    |    +--- org.opensaml:opensaml-security-api:3.2.0 (*)
|    |    +--- org.opensaml:opensaml-security-impl:3.2.0 (*)
|    |    +--- com.google.code.findbugs:jsr305:3.0.1
|    |    +--- com.google.guava:guava:18.0
|    |    +--- org.codehaus.janino:janino:2.7.8 (*)
|    |    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    |    +--- javax.mail:mail:1.4.7 (*)
|    |    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    |    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    |    +--- org.slf4j:slf4j-api:1.7.12
|    |    \--- net.shibboleth.idp:idp-schema:3.2.0 (*)
|    +--- com.google.code.findbugs:jsr305:3.0.1
|    +--- com.google.guava:guava:18.0
|    +--- org.codehaus.janino:janino:2.7.8 (*)
|    +--- net.shibboleth.utilities:java-support:7.2.0 (*)
|    +--- javax.mail:mail:1.4.7 (*)
|    +--- org.opensaml:opensaml-messaging-api:3.2.0 (*)
|    +--- org.springframework:spring-context-support:4.2.3.RELEASE (*)
|    \--- org.slf4j:slf4j-api:1.7.12
\--- org.springframework:spring-jdbc:4.1.6.RELEASE
     +--- org.springframework:spring-beans:4.1.6.RELEASE -> 4.2.3.RELEASE (*)
     +--- org.springframework:spring-core:4.1.6.RELEASE -> 4.2.3.RELEASE (*)
     \--- org.springframework:spring-tx:4.1.6.RELEASE
          +--- org.springframework:spring-beans:4.1.6.RELEASE -> 4.2.3.RELEASE (*)
          \--- org.springframework:spring-core:4.1.6.RELEASE -> 4.2.3.RELEASE (*)
rianniello commented 7 years ago

After some further investigation, the latest (3.3.0) Shibboleth IdP version does not contain an unsafe version of apache commons collections.

Despite this, this project should still be upgraded to reference the latest Shibboleth IdP (3.3.0) version, when it's actually used on an 3.3.0 instance.

rianniello commented 5 years ago

This library is upgradable to 3.4.3, which includes schema changes. Work from other projects will be backported here, in the near future.

This change will fix all deprecation warnings and allow us to upgrade to Shib IdP 4 with issues.

bradleybeddoes commented 5 years ago

upgrade to Shib IdP 4 with issues.

without I think you meant?

rianniello commented 5 years ago

😆 Yes.