The advisory/announcement about the new IdP 3.3.3 version seems to describe the SimpleTicketService as being the vulnerability that needs to be mitigated. The solutions appear to be upgrade to 3.3.3, or change cas config to use encoding
Can we then conclude that if we opt for solution 1 that v3.3.3 fixes SimpleTicketService and we can continue to use it safely?
Software Systems Engineer / Identity Access Management
The question was really more about trying to confirm that v3.3.3 fixes SimpleTicketService. We have a number of services under the phpCAS client limitation.
I want to make sure they don’t break if I upgrade to v3.3.3, since the EncodingTicketService isn’t an option for them.
From: users [mailto:[hidden email]]
On Behalf Of Marvin Addison Sent: Wednesday, May 16, 2018 11:23 AM To: Shib Users <[hidden email]> Subject: Re: IdP 3.3.3/CAS Advisory clarification