[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[upki-fed:00688] shib-cas-authenticatorの脆弱性について (1.3.0.1で修正)
- Subject: [upki-fed:00688] shib-cas-authenticatorの脆弱性について (1.3.0.1で修正)
- Date: Wed, 18 Sep 2013 10:59:53 +0900
- From: Takeshi NISHIMURA <xxxxxxx@xxxxxxxxx>
NIIの西村です。
下記のように、shib-cas-authenticatorの脆弱性についての情報が
流れております。
ShibbolethをCASと組み合わせて使っている方はご注意ください。
-------- Original Message --------
Subject: Security notification regarding shib-cas-authenticator
Date: Tue, 17 Sep 2013 12:18:23 -0400
From: William G. Thompson, Jr. <xxxxxx@xxxxxxxxx>
Reply-To: Shib Users <xxxxx@xxxxxxxxxxxxxx>
To: Shib Users <xxxxx@xxxxxxxxxxxxxx>
This is a security notification regarding the shib-cas-authenticator,
a commonly deployed mechanism to integrate CAS and Shibboleth. This
issue only effects CAS and Shibboleth deployments that have deployed
this module.
A critical security vulnerability has been confirmed in
shib-cas-authenticator version 1.3 and earlier, such that a moderately
sophisticated attacker could impersonate any user. A fix for this
vulnerability is available in version 1.3.0.1 and all deployers are
encouraged to upgrade as soon as possible.
A grace period will be observed after this community notification, and
before public disclosure so that unknown community deployers have time
to upgrade. Expected public disclosure date is 2013-09-30.
Unicon clients, subscribers of Unicon Open Source Support program, and
known deployers of shib-cas-authenticator have previously received
private notification.
If you have shib-cas-authenticator deployed, please contact me privately.
Best Regards,
Bill Thompson
IAM Practice Director, Unicon