Dear CAS Community, I've spoken with Carl Harris, the developer of the excellent Soulwing CAS Client for Java about the recent issue with trusting the host set by the header. He has very quickly released a patched version to correct the vulnerability. Details of his announcement are here:
Users of Soulwing CAS Client versions 0.4 and prior are vulnerable to attack by compromised CAS services as described at http://www.ja-sig.org/wiki/display/CASC/CASFilter. All users of Soulwing CAS Client should upgrade to version 0.4.1 or later, which was released to SourceForge.net on 12 Dec 2007. Client version 0.4.1 and later now requires the CAS service URL to be specified in the configuration. See the revised configuration instructions for Confluence and JIRA. Other users of the client will also need to modify configurations, accordingly. See www.soulwing.org to download the patched client. Thanks -Scott -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
