grouper-users - [grouper-users] Grouper UI Security Advisory
Subject: Grouper Users - Open Discussion List
List archive
- From: Shilen Patel <>
- To: "" <>
- Subject: [grouper-users] Grouper UI Security Advisory
- Date: Wed, 22 Dec 2010 14:38:56 -0500
Grouper Security Advisory [21 December 2010]
Patches to the Grouper 1.5.x and 1.6.x UI are available which
correct a security issue. Grouper 1.6.3 and later have the
security fix. Grouper 1.6.3 will be released in the next few
days.
Affected Systems
================
All verisons of the Grouper 1.5 UI. Also, all versions of the
Grouper 1.6 UI prior to 1.6.3.
Grouper UI Security Issue
=========================
Current versions of the Grouper UI are capable of revealing
user audit logs to unauthorized users. The user audit logs
contain information that may be sensitive, such as the
membership changes of groups. They also contain other details
including the subjects that have performed updates and the
servers where the updates were made from. This bug allows all
authenticated users to bypass the current security checks for
user audit logs and view all the logs by URL manipulation.
Here's the URL for the advisory which contains the link to
the patch and instructions on how to apply the patch.
http://www.internet2.edu/grouper/secadv/20101221/txt.txt
Thanks,
Shilen
On behalf of the Grouper team
- [grouper-users] Grouper UI Security Advisory, Shilen Patel, 12/22/2010
Archive powered by MHonArc 2.6.16.