IdP 3.3.3/CAS Advisory clarification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP 3.3.3/CAS Advisory clarification

O'Dowd, Josh

The advisory/announcement about the new IdP 3.3.3 version seems to describe the SimpleTicketService as being the vulnerability that  needs to be mitigated.  The solutions appear to be upgrade to 3.3.3, or change cas config to use encoding service ticket.

 

Can we then conclude that if we opt for solution 1 that v3.3.3 fixes SimpleTicketService and we can continue to use it safely?

 

Thanks

 

Josh O’Dowd

Software Systems Engineer / Identity Access Management

University of Montana

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: IdP 3.3.3/CAS Advisory clarification

Marvin Addison
On Wed, May 16, 2018 at 11:34 AM O'Dowd, Josh <[hidden email]> wrote:

The solutions appear to be upgrade to 3.3.3, or change cas config to use encoding service ticket.


That is correct. Upgrade or swap components to mitigate the vulnerability.

M


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: IdP 3.3.3/CAS Advisory clarification

O'Dowd, Josh

Thanks Marvin,

 

The question was really more about trying to confirm that v3.3.3 fixes SimpleTicketService.  We have a number of services under the phpCAS client limitation.  I want to make sure they don’t break if I upgrade to v3.3.3, since the EncodingTicketService isn’t an option for them.

 

Josh

 

From: users [mailto:[hidden email]] On Behalf Of Marvin Addison
Sent: Wednesday, May 16, 2018 11:23 AM
To: Shib Users <[hidden email]>
Subject: Re: IdP 3.3.3/CAS Advisory clarification

 

On Wed, May 16, 2018 at 11:34 AM O'Dowd, Josh <[hidden email]> wrote:

The solutions appear to be upgrade to 3.3.3, or change cas config to use encoding service ticket.

 

That is correct. Upgrade or swap components to mitigate the vulnerability.

 

M

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]