Dear CAS Community, Vulnerabilities were reported to Jasig about the legacy Yale mod_cas filter and the CCCI ISAPI filter. CCCI has generously supplied a patch and posted it in the wiki. Yale is recommending that users migrate to the official Jasig Apache client: mod_auth_cas.
Courses of Action: mod_cas All users of mod_cas are encouraged to upgrade to mod_auth_cas which is NOT affected by the vulnerability. http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas ISAPI Filter All users are encouraged to upgrade to the latest version of the filter which corrects the vulnerability. http://www.ja-sig.org/wiki/display/CASC/ISAPI+Filter There have currently been no reported vulnerabilities with other CAS clients. Thanks to Joseph Valerio from Yale University for reporting this vulnerability and to Nathan Kopp from CCCI for his prompt patch to fix the issue for the ISAPI filter. Please note that Jasig is relaying this information to the community as a service. Jasig is not affiliated with the mod_cas or the ISAPI filter clients and therefore, the information and resources we have available for assistance is limited. We encourage users to utilize the cas_user list if they need help upgrading. Others have probably upgraded in the past and may be able to provide helpful hints. Thanks Scott -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
