Grouper Developers Forum

[Blair Christensen <>]

uchicago would also be interested in a v2.2.3 release

On Tue, Dec 1, 2015 at 11:55 AM, Robert Bradley <> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 30/11/15 03:36, Chris Hyzer wrote:
> Grouper community,
>
> Sorry to report there is a critical Grouper security vulnerability
> that requires your immediate attention if you are running Grouper.
>
> https://bugs.internet2.edu/jira/browse/GRP-1227
>

<snip details>

> Grouper versions 1.4+ (API, UI, WS, loader) are affected by this
> especially if you have passwords in your sources.xml (if you use
> the GrouperJdbcConnectionProvider or have your password in
> ldap.properties, or encrypted externalized passwords, this is less
> urgent for you).
>

Out of interest, is there likely to be a 2.2.3 release soon that
covers this?

We (i.e. Oxford) are relatively safe from the effects of this thanks
to our using GSSAPI authentication everywhere, but should patch this
regardless.  Our setup is slightly unusual in that instead of using
the standard Grouper installer and patcher, we build Debian packaging
from the Grouper source instead.  That means that if version 2.2.3 is
imminent, it's easier to wait a bit and then merge that in as a new
upstream version of the package.  If version 2.2.3 is likely to be a
way off, though, it makes more sense to use either 2.2.2 as a base and
apply the patches via the packaging, or just use the latest commit to
GROUPER_2_2_BRANCH as our upstream source.


(And yes, one of these days we should find the time to get some
documentation written up about our Grouper installation for the
website...)

- --
Dr Robert Bradley
Identity and Access Management, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWXd8KAAoJEJRhp8p2r+O+X2sP/0pC1z4AbdvJKADETW36/8kY
OBQp+71LZD31D9njo+JoJiFF8NG0r+GDT7PczFjmZQt3AmodT0wwV9F5Mcxm0cgs
BR5FrfqzPF3rt0ep1on8XrupvzwDDU75SC+9nfOLYh3UPBn64M7NlefWUHfopuC/
EIKWCCjZXJHOBiRDcFZjALIBorbc3i1724LKRMPuGV8Q6S3MeePas9quCr5+1MwN
TcrBNekJXkNZLDeJygLoRWdyrkNmRZ0680MM0grINcIAHkue9lbxRTbgpbQOaMTJ
9AsdlrG1Iyh6IPh4uQOC1hlH/Pt4EJ0hT1QrQ+m5i+6XEnGCqr/x1Yd8ijc6XwQY
cwkaLGrhVNEMDgp239jru3ZVe/ltQaEO4MbVD7eAL0bQIUDgsR9O352p6WrzGJ6s
Fo7OIkcsok6Zx9kX8dZ91H51YwIVZOasM0/7/81Tlq00xqLaCCTulMoTvuwKs9jS
G4r6ZKgyVQRn316hNSxE9LbvTvklZoQzTMTEc1sU1h+nr2XP5aYVqiK/Qo6gQ5ow
hRxI63uuvKEO0l5NzKQe0Y/mVmFxesQSgxTg1YEpoug6d6FyrhdA0ALjdEUOmXDN
4rQesoOtQ+lzpNa2EBLnNCSMjOKkO2AN3qDqLaBTw0iw/uXzvvxExRAm/MEG/+vi
cheJrCV4YmOhXjntt4gR
=r8pk
-----END PGP SIGNATURE-----