Security notification regarding shib-cas-authenticator
William G. Thompson, Jr.
wgthom at gmail.com
Tue Sep 17 12:18:23 EDT 2013
This is a security notification regarding the shib-cas-authenticator,
a commonly deployed mechanism to integrate CAS and Shibboleth. This
issue only effects CAS and Shibboleth deployments that have deployed
this module.
A critical security vulnerability has been confirmed in
shib-cas-authenticator version 1.3 and earlier, such that a moderately
sophisticated attacker could impersonate any user. A fix for this
vulnerability is available in version 1.3.0.1 and all deployers are
encouraged to upgrade as soon as possible.
A grace period will be observed after this community notification, and
before public disclosure so that unknown community deployers have time
to upgrade. Expected public disclosure date is 2013-09-30.
Unicon clients, subscribers of Unicon Open Source Support program, and
known deployers of shib-cas-authenticator have previously received
private notification.
If you have shib-cas-authenticator deployed, please contact me privately.
Best Regards,
Bill Thompson
IAM Practice Director, Unicon
More information about the users
mailing list