[upki-fed:00688] shib-cas-authenticatorの脆弱性について (1.3.0.1で修正)

[Takeshi NISHIMURA <xxxxxxx@xxxxxxxxx>]

NIIの西村です。

下記のように、shib-cas-authenticatorの脆弱性についての情報が
流れております。
ShibbolethをCASと組み合わせて使っている方はご注意ください。

-------- Original Message --------
Subject: Security notification regarding shib-cas-authenticator
Date: Tue, 17 Sep 2013 12:18:23 -0400
From: William G. Thompson, Jr. <xxxxxx@xxxxxxxxx>
Reply-To: Shib Users <xxxxx@xxxxxxxxxxxxxx>
To: Shib Users <xxxxx@xxxxxxxxxxxxxx>

This is a security notification regarding the shib-cas-authenticator,
a commonly deployed mechanism to integrate CAS and Shibboleth.  This
issue only effects CAS and Shibboleth deployments that have deployed
this module.

A critical security vulnerability has been confirmed in
shib-cas-authenticator version 1.3 and earlier, such that a moderately
sophisticated attacker could impersonate any user.  A fix for this
vulnerability is available in version 1.3.0.1 and all deployers are
encouraged to upgrade as soon as possible.

A grace period will be observed after this community notification, and
before public disclosure so that unknown community deployers have time
to upgrade.  Expected public disclosure date is 2013-09-30.

Unicon clients, subscribers of Unicon Open Source Support program, and
known deployers of shib-cas-authenticator have previously received
private notification.

If you have shib-cas-authenticator deployed, please contact me privately.

Best Regards,
Bill Thompson
IAM Practice Director, Unicon