Back to bug 801304
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Rebecca Newton | 2012-03-12 00:55:11 UTC | CC | rnewton | |
| Marius Bogoevici | 2012-04-13 04:08:48 UTC | Status | NEW | ON_QA |
| Karel Piwko | 2012-06-04 09:45:01 UTC | Status | ON_QA | MODIFIED |
| QA Contact | kpiwko | |||
| Karel Piwko | 2012-06-04 09:45:22 UTC | CC | mnovotny | |
| David Jorm | 2012-06-19 06:49:19 UTC | CC | djorm | |
| Karel Piwko | 2012-07-02 05:41:31 UTC | Status | MODIFIED | ASSIGNED |
| Karel Piwko | 2012-08-01 13:16:28 UTC | Target Release | 2.0.0.GA | 2.1.0 |
| Karel Piwko | 2012-09-24 13:33:59 UTC | Priority | medium | urgent |
| Severity | medium | urgent | ||
| Karel Piwko | 2012-09-24 13:34:18 UTC | CC | rnewton | irooskov |
| Marek Novotny | 2012-09-25 09:00:36 UTC | Assignee | mariusb | mnovotny |
| Target Milestone | --- | ER2 | ||
| Vaclav Dedik | 2012-10-01 12:09:50 UTC | CC | vdedik | |
| Marek Novotny | 2012-10-01 16:12:32 UTC | Status | ASSIGNED | ON_QA |
| Version | 2.1.0 | |||
| Tomas Repel | 2012-10-18 11:29:42 UTC | Status | ON_QA | MODIFIED |
| CC | trepel | |||
| Marek Novotny | 2012-10-19 08:48:12 UTC | Status | MODIFIED | ON_DEV |
| Target Milestone | ER2 | CR1 | ||
| Marek Novotny | 2012-10-23 14:39:20 UTC | Status | ON_DEV | MODIFIED |
| Marek Novotny | 2012-11-06 16:32:10 UTC | Status | MODIFIED | ON_QA |
| Tomas Repel | 2012-11-12 13:02:30 UTC | Status | ON_QA | VERIFIED |
| Karel Piwko | 2012-11-19 10:22:24 UTC | Doc Text | Securing an application in the following way creates a security bug by transitively depending an compromised OpenID4Java: <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>2.0.7.RELEASE</version> </dependency> To workaround this issue use the following configuration alongside the original: <dependency> <groupId>org.openid4java</groupId> <artifactId>openid4java</artifactId> <version>0.9.6</version> </dependency> | Cause: OpenID4Java implementation version 0.9.3 which is transitive dependency of Spring Security OpenID implementation contains a security bug. Consequence: Users relying Spring Security 2.0.7 get OpenID4Java 0.9.3 with a security bug. Fix: Spring 2.5 BOM was modified to override original OpenID4Java version to OpenID4Java 0.9.6. Result: Users using Spring 2.5 BOM will get a safe OpenID4Java version. |
| Karel Piwko | 2012-11-30 15:34:43 UTC | Status | VERIFIED | CLOSED |
| Resolution | --- | CURRENTRELEASE | ||
| Last Closed | 2012-11-30 10:34:43 UTC |
Back to bug 801304