11:48 p.m.
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
I noticed that sessionId cookie sent to client before authentication remains the same even
after login succedeed. This could lead to a man-in-the-middle attack because pre-login
sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession is
called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:18 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Shane Bryzak reassigned JBSEAM-1361:
------------------------------------
Assignee: Shane Bryzak
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Shane Bryzak
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:18 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12363330 ]
Shane Bryzak commented on JBSEAM-1361:
--------------------------------------
What is to stop the new session id cookie from being sniffed also?
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:18 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Resolved: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Christian Bauer resolved JBSEAM-1361.
-------------------------------------
Resolution: Rejected
Yes, this doesn't make sense. Session identifier hijacking does not depend on
authorization.
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Shane Bryzak
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:29 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12363343 ]
fguerzoni commented on JBSEAM-1361:
-----------------------------------
By renewing sessionId after authentication, I will be sure that any pre-login sessionId,
eventually obtained during unencrypted http connection, will be sent to server.
After authentication, client sare ssl connected with server and sessionId will be
crypted.
I agree with Christian: "Session identifier hijacking does not depend on
authorization".
I think the problem is that clients could use, when authenticated, sessionId obtained when
they were unauthenticated, so potentially unencrypted.
I feel this situation as very dangerous.
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Shane Bryzak
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:31 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12363347 ]
Christian Bauer commented on JBSEAM-1361:
-----------------------------------------
So encrypt all traffic to your site even for non-authenticated sessions.
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Shane Bryzak
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:08 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12363348 ]
fguerzoni commented on JBSEAM-1361:
-----------------------------------
Ok. It's the solution.
But consider this as a general issue (lowest priority).
What if a site has an intial set of pages unencrypted? And then switch to ssl?
thanks for the precious support.
sessionId cookie: man-in-the-middle attack
------------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Shane Bryzak
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:15 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Gavin King updated JBSEAM-1361:
-------------------------------
Summary: invalidate session after scheme change (was: sessionId cookie:
man-in-the-middle attack)
Fix Version/s: 1.3.0.ALPHA
Assignee: Gavin King (was: Shane Bryzak)
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:15 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Gavin King closed JBSEAM-1361.
------------------------------
Resolution: Done
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:15 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Reopened: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Gavin King reopened JBSEAM-1361:
--------------------------------
I am re-opening, we have decided to do the session invalidation whenever the scheme
changes, instead of at login.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:32 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Reopened: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Gavin King reopened JBSEAM-1361:
--------------------------------
Two more things needed:
(1) allow preservation of session data when upgrading http to https
(2) detect scheme change as a result of multi-window browsing
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:10 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12364175 ]
Christian Bauer commented on JBSEAM-1361:
-----------------------------------------
I'm still not sure how that prevents me from stealing the new session in just the same
way, with an XSS attack. Doesn't matter if traffic is encrypted or not, if there is an
XSS hole I get the new identifier.
A new session would however defeat pure man-in-the-middle, attacker listening to the wire.
But this isn't the primary vector.
If we assume that the session identifier has been hijacked with a man-in-the-middle
attack, we need to also assume that the session data is invalid. So I say don't copy
it into the new session after scheme change.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:53 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12364196 ]
fguerzoni commented on JBSEAM-1361:
-----------------------------------
I think XSS attacks are less frequent than simply stealing session id: because they are
more difficult to do.
But, take it as a suggestion, Seam could automatically add a sort of XSSvalidator, during
input field scan, in order to search for
<SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>
that generally mean an attempt to inject code from client.
About data copied to new session I think that Christian is right: we don't know if
data are from real user.
So data should be added to new session when both login change and user is authenticated.
In fact user is authenticated only when data in session are correct.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:17 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12364203 ]
Christian Bauer commented on JBSEAM-1361:
-----------------------------------------
XSS is one of the easiest attacks possible. Attacking a TCP connection in the middle is
much more difficult (and certainly not done by todays script kiddies). Note that JSF
applications _in general_ are not vulnerable to XSS attacks because rendered output from
the application is by default escaped with HTML entities.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:55 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-1361) invalidate session after scheme change
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=all ]
Gavin King closed JBSEAM-1361.
------------------------------
Resolution: Done
(2) is done, but not (1). It will miss this release, so I will raise a separate issue for
it.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6446
days inactive
6455
days old
14 comments
4 participants
participants (4)
-
Christian Bauer (JIRA) -
fguerzoni (JIRA)
-
Gavin King (JIRA)
-
Shane Bryzak (JIRA)