Dear CAS Community, We've just posted security releases for the CAS Server. They can be downloaded here:
* http://www.jasig.org/cas_server_3_4_2_1 * http://www.jasig.org/cas_server_3_3_5_1 In addition, users of CAS 3.4.2 can upgrade to CAS 3.4.2.1 via the Maven Repository. Due to the change in the hosting of repositories between 3.3.5 and 3.4.2, its not possible for us to post the 3.3.5.1 artifacts. Nature of vulnerability: The following pages were susceptible to XSS: * CAS Logout Page (we actually removed the url param by default) * CAS Services Management Failed Authorization Page * CAS Post Response View In addition, by default, as a security precaution, the Services Management Tool comes configured with services that only allow http, https, imap, and imaps protocol urls. If you are not using the Services Management Tool more explicitly (with specific services), we recommend you leave the defaults enabled. For those who may be using older versions of CAS, or who may not wish to upgrade, the changeset of changes can be found here: https://developer.jasig.org/source/changelog/jasigsvn/?cs=21201 Thanks to Matt McCutchen and David Bourgeois for reporting the issue. Cheers, Scott -- Scott Battaglia Chair, Jasig CAS Steering Committee -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
