Thanks all for the confirmation. We now have a high priority task to upgrade to 7.3 (and the requisite Tomcat 11 as well).
On Fri, Dec 19, 2025 at 11:55 AM 'Jeremiah Garmatter' via CAS Community < [email protected]> wrote: > We utilize Duo with CAS too. We plan to upgrade to 7.3.0 in January. If > you need more time you can reach out to Duo support for an extension. > I believe the final cutoff date for extenders is March 31st, but for > everyone else it is February 2nd. > > On Friday, December 19, 2025 at 3:33:18 PM UTC-5 Ray Bon wrote: > >> Baron, >> >> The duo versions for java are here >> https://help.duo.com/s/article/9451?language=en_US#api-clients >> <https://urldefense.com/v3/__https://help.duo.com/s/article/9451?language=en_US*api-clients__;Iw!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aXGOXUec$> >> Cas 7.2.x does not have the minimums, and the last commit was late >> September. >> Anyone wanting to use duo will have to upgrade to 7.3.x >> See line 56 in >> https://github.com/apereo/cas/blob/7.3.x/gradle/libs.versions.toml >> <https://urldefense.com/v3/__https://github.com/apereo/cas/blob/7.3.x/gradle/libs.versions.toml__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aSStNVVr$> >> >> Ray >> ------------------------------ >> *From:* [email protected] <[email protected]> on behalf of Baron >> Fujimoto <[email protected]> >> *Sent:* December 19, 2025 08:56 >> *To:* CAS Community <[email protected]> >> *Subject:* [cas-user] Re: Duo root certificate authority bundle >> replacement? >> >> Following up with additional information. We now believe the Duo >> Unsupported Client reports actually do implicate CAS. Initially we were >> dissuaded because the Client IP in these reports were not known to be >> associated with our CAS servers, but we've since learned that all the >> servers' traffic was NAT'd behind the reported IP. >> >> I don't recall seeing this issue being discussed previously on the list, >> but this seems like a significant issue for those using >> "cas-server-support-duo". Are such users actually just rare, or is everyone >> already running CAS 7.3? >> >> On Thu, Dec 18, 2025 at 5:40 PM Baron Fujimoto <[email protected]> wrote: >> >> We are currently running CAS 7.0.x with the "cas-server-support-duo" >> dependency in our build.gradle overlay. >> >> In response to an advisory from Duo re "Duo root certificate authority >> bundle replacement" (action required by 2025-02-02) >> >> <https://help.duo.com/s/article/9451 >> <https://urldefense.com/v3/__https://help.duo.com/s/article/9451__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aRoDzmwZ$> >> > >> >> We tried to determine if we were affected by this. Duo reports in our >> Unsupported Clients log many entries that are tied to our Identification >> Key for the Duo app used by our CAS service. It's unclear to us though >> whether these entries represented CAS itself, or clients using our CAS >> service. >> >> Our initial analysis suggested to us that these entries represented CAS >> clients using our CAS service. However, we received the following response >> to our query to Duo support: >> >> *With CAS, since this is a third party application that has integrated >> Duo, our team recently got a confirmation from CAS that they have made an >> update available for the upcoming CA bundle replacement, and you must >> perform some upgrade or configuration action to use it.* >> >> >> And they provided links to the CAS 7.3.0 Duo Security MFA documentation: >> <https://apereo.github.io/cas/7.3.x/mfa/DuoSecurity-Authentication.html >> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.3.x/mfa/DuoSecurity-Authentication.html__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3ad1N7c9h$>> >> >> >> So is the CAS server actually affected by this issue if using >> "cas-server-support-duo"? If so, what is the minimum CAS server version >> required to address this? If there are release notes or something >> comparable that covers this, a pointer to those would be appreciated as >> well. >> >> -- >> Baron Fujimoto <[email protected]> ::: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3adoh0DIy$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aVIvGs6T$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3adq__EAc$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA*40mail.gmail.com?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aZ934mWi$> >> . >> > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3adoh0DIy$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aVIvGs6T$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3adq__EAc$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e09b24a-5b03-4f1d-8060-0118bc6cd6aan%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e09b24a-5b03-4f1d-8060-0118bc6cd6aan*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!TW2avrRzQVSDuGLg8BFLDsbkYlvYTThj5U7DamTQrQWWdOqzUvAbN3eKS0k8dLaUE6XSuBY3aQEM14aa$> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL378cVeZkzi55EL7R4Xb8n3WaWcHTqVKBRqSMxG1BY1SQ%40mail.gmail.com.
