Closed adrien-marsoulaud closed 4 years ago
pivotal-issuemaster
commented
5 years ago @adrien-concord Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
fhanik
commented
5 years ago What are implications of downgrading? Are there known security issues that we may bring back?
The 2.6.6 has been in use for quite some time and does appear to have necessary fixes.
adrien-marsoulaud
commented
5 years ago This is all issues fixed in versions 2.6.5 and 2.6.6 https://issues.shibboleth.net/jira/browse/JOST-245?jql=project%20%3D%20JOST%20AND%20fixVersion%20in%20(2.6.5%2C%202.6.6)%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC
There are no security issues.
The link you mentioned specify a way to retrieve the version from a proprietary repository which is not possible in some organizations to access repositories other than official maven ones. That's why the version 2.6.4 is still the most used after 4 years.
I understand that downgrading can be a hard decision. An option could be to make the 2.6.6 version available on maven central.
MichaelVetter
commented
5 years ago According to these sources there is a security issue in the old version: https://nvd.nist.gov/vuln/detail/CVE-2015-1796 https://shibboleth.net/community/advisories/secadv_20150225.txt "OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater"
adrien-marsoulaud
commented
4 years ago According to these sources there is a security issue in the old version: https://nvd.nist.gov/vuln/detail/CVE-2015-1796 https://shibboleth.net/community/advisories/secadv_20150225.txt "OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater"
Good point, didn't found it in release notes of version 2.6.5 and 2.6.6. Unfortunnatly, how can we upgrade if we cannot have access to the version from an official maven repository... We will have to continue to use spring-security-saml2-core 1.0.2 like other projects.
Will close this issue. Thank you for your help.
marjanstankovic
commented
4 years ago Does anyone have an idea what's the status here?
I see that we need a lot of org.opensaml dependencies which are actually available for download, but it seems that metadata isn't updated properly, e.g: https://mvnrepository.com/artifact/org.opensaml/xmltooling/1.4.6 is there, but the last listed is 1.4.4 at https://mvnrepository.com/artifact/org.opensaml/xmltooling
Is this the issue of the maven central repository or something else?
EDIT: Now I get the point - it is only available from Shibboleth repository: https://build.shibboleth.net/nexus/content/repositories/releases/ I wasn't actually browsing maven central
Fixes dependency error (not available in maven central) introduced with 006be67 Move to the last available version which is 2.6.4 instead of 2.6.6 as described in https://github.com/spring-projects/spring-security-saml/issues/237#issuecomment-383579590