This is a security notification regarding the shib-cas-authenticator, a commonly deployed mechanism to integrate CAS and Shibboleth. This issue only effects CAS and Shibboleth deployments that have deployed this module.
A critical security vulnerability has been confirmed in shib-cas-authenticator version 1.3 and earlier, such that a moderately sophisticated attacker could impersonate any user. A fix for this vulnerability is available in version 1.3.0.1 and all deployers are encouraged to upgrade as soon as possible. A grace period will be observed after this community notification, and before public disclosure so that unknown community deployers have time to upgrade. Expected public disclosure date is 2013-09-30. Unicon clients, subscribers of Unicon Open Source Support program, and known deployers of shib-cas-authenticator have previously received private notification. If you have shib-cas-authenticator deployed, please contact me privately. Best Regards, Bill Thompson IAM Practice Director, Unicon -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
