grouper-dev - [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3
Subject: Grouper Developers Forum
List archive
- From: "Hyzer, Chris" <>
- To: " Mailing List" <>, "" <>, "" <>
- Subject: [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3
- Date: Tue, 21 Aug 2018 06:20:11 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:h6KZmhaS976FvEDXlzZpu/j/LSx+4OfEezUN459isYplN5qZps6yYR7h7PlgxGXEQZ/co6odzbaO7Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahY75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhpgBwzIHPbY6PKPZyYrnQcc8GSWZfWMtaSixPApm7b4sKF+cNM+RWron8plQQtxuyHRSnCf3vyj9Sh3/2xqM22PkmHAHDwAMgH9IPsXXKo9XvL6oSUPu1w7XSwTXed/NZxzH96I7Sfh8/vP6MQKt9fMzMwkchEAPFi0+fqY3jPz6N1+QNtXSb4PR6VeKplWEntx99riKxycgxl4nEgJ8exFPc9Shh3oo6P8G0RFN+bNK5DZdcqiSXN4V5T88+X21lvSQ3xaMJtJGleSUHzYorywLeZvCfboSF7A7vWPyVLDtlnn5pZq+zihKo/US9yODxV9G40FhUoSdGjtXBs3UA2wLQ58SbVvRw+1mt1iqT2A3Q7+xJI0Q5mrbUJpMk3rE8iIYfvEvFEyTrgkv5lrWWeV8h+uWw6+TofLHmppiEOoFslgzwNbgil8OmDeklKgYDUXGX+eOn27L950H5R6hKjuEtnanerZDaI9kUqrShAw9P1YYj9wiwACu60NQZmnkHKkhJeBWaj4j1P1HOJ/f4DfSlj1uwlzdrwujKPrznAprTMnjOiKntcqxh50JBzQc/0M1T649RB7EPL///RlP9udnaAxAnPAG73ePqBdBj2o8CWG+DGqqZP7nTsV+M6OIvOe6MZIoNtTb4N/cl5/7vjH4nll8HZqSp3IAXZ2yiEvR7O0WWf3zsgtEbHWgUowU+UfTmiEeeXj5Le3ayQ6U86yk0CIK8CofDW5itj6Kb3CuiA51WfX5JCkqXEXrzc4WEWuwMaD6JIsN/iDAEVL6hS5M/2hG0sg/11aZnIvTO9iIGqJ3jycB/5/fPmhEq6Tx0E8Od3nmCT2FumWMIWic2075loUBk11iMz7Z4judcFdxS/PNJThw6OYDGw+x7DdDyRhzOfs2PSFm4XtWqHys9QcwszN8Te0x9Acmtjgjf3yq2BL8Yj7OLBIYz8qLBx3j+Odx9x2/c26kniVkmRdZPNWu6iaFh7AXTA4/Jk16Fl6axa6gQxi/N9GGfzWWQpkFYVhB/UbnbUXwFeETZsMn5tQv+SOrkBq4gLxNM04ufMaZQcfXoi0lLXvHuJI6Ybm6s00K5BBKJwLzESIvxZy9ViCrHD1UcnhpW4G2LLxMWByG9rnjYASA0U1/jfhWouaNxsnSmVkIuig2HcWVg0aa44BgYmabaRv8OlPpQtz0mti15BhOx0sz+CtycqhBncbkGJ94x/QEDnSjWrQtgJpG6aqlkgFkDdQ96l0LoyxhtDIhcy44noG5ghF59M6WFyF5bMjqe25ftPLbaAmj04B21baPKgBfT3MvAqYkV7/Ft4XXyrgyzUgIJ829myJMdh36X5oTYARA6UIn6FFsv+h584bzWf39utMvvyXRwPPzs4Xf50NUzCb59kEzydspDMK6CCA75GtEbAM7rMuExhly1dUxYbvtK+vsyOMWrP7ud1ainMfwovQrujH8PoeUfmlmJ6zI6T+fJ25gfxPTN2wCHRiXxln+gqcuxhJhJYzdUE2aimmDp
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
#1 Grouper audits can show more information than a user should be able to see. Grouper UI v2.3 patch 44 is affected. You need this patch fix if you have UI patch #44 installed. GRP-1875: subject audits should only be seen by grouper admins Reproduce by logging in as a non root user, pull up a subject in the new UI, see their audits. You might be able to see more than you should. Refresh, quickly, related to other security advisory. Fixed in 2.3.0 UI patch #47. This is a low risk patch which requires root (READONLY root or all root) so see audits for users. #2 Group finder flash cache can return results if attempted multiples times in quick succession. Grouper API v2.3 patch 96 is affected. You need this patch fix if you have API patch #96 installed. Reproduce this by attempting to VIEW a group (not read) by WS or something in the UI, multiple times in quick succession. You will see the group after the first call does not show it. Fixed in 2.3.0 API patch #109. This is a low risk patch which corrects this issue. Thanks to Shilen for finding these while testing the 2.4.0 release… These are fixed in 2.4.0 when it is released. Thanks Chris |
- [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3, Hyzer, Chris, 08/21/2018
Archive powered by MHonArc 2.6.19.