grouper-users - [grouper-users] Security advisory GRP-3015 for Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: " Mailing List" <>, "" <>
- Subject: [grouper-users] Security advisory GRP-3015 for Grouper
- Date: Mon, 9 Nov 2020 21:43:35 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YkDqBJhltU4YOtaNXn7JofYhp+ODLJdb3WN92qSnwig=; b=WwbaTlri4pVYofD1QrEuMOGaoaLC7U1pHRaO2nIL1UC4jlatWC20G7iXWKLn4o96o/NXeve4n3sZBaXRJkIMjzu4Inxj1Nz8wLZI1xGFdepilYVxM0eEnOkPbMUkcDoAp/gEipvD26MYAGPixE4NrrzNCRRyG38d29R8AJHluOaVClQG3ayP/Dd0BOjXk29CrysaD2ybJNLmBAzDmUvem43r4OY7WdB46l9FqnoEQ/DKqJaO+yxcl1BvDhB8mflaiRDvEwernlXCUz2YXWPMH8fDKAM27JYup9LHAhgVItgtpt5AhRTMByKQqPzHs8lNTOQeAteY/3BSw6s9Q6KKTw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QVi45peGh+JgYsZdKf+8ev4v6f8Yvvh/T4sO2lsIvjdLAK0aJx28+FnEp3B49Qs1i4f7i3NaTpuJNeHA2fMbUpDPl/L1WOgfyJ6z3HXTS4s10zkIY6G1M2h7iBGBmYy/3sIcC5nVA5daxMKVSD7MbFyYqfFRjmqyhudegl0VikUjzQYx8aqiX727gPaTUP3Pb1/Vs+nhRc2+/QDIgDgrBmMvMKt2OuR9NzECMqGjiubaGImVQY8q1OcbLJklilTyDT9+k887xzGv4EkkvM6bMRJUyEd+LxNI+qpOiTOb2I/eQoAoWvoC/sAXaWUHCSxdPk5ZZKPp5TzFFsff8jdr9A==
Hello,
Grouper has a security vulnerability, affecting the following versions of Grouper:
- 2.5.36
- 2.5.37
You are affected if you using one of these versions and have secrets in plain text in environment variables in the Grouper container. On startup the container prints out all env vars to the container logs.
This could lead to those at your institution who can view container logs to be able to view passwords that were in plain text in env vars. For full details, please see the advisory linked below.
Thanks to JJ at Unicon for identifying this problem.
These two containers (2.5.36.1 and 2.5.37.1) are identical to the previous version but have only this issue fixed (and OS updates). When 2.5.38+ is out, this is fixed there too.
Thanks
Chris Hyzer
Internet2 Grouper Lead
- [grouper-users] Security advisory GRP-3015 for Grouper, Hyzer, Chris, 11/09/2020
Archive powered by MHonArc 2.6.19.