> From: Andrew Morgan > Sent: Thursday, January 22, 2015 12:42 PM > > You aren't effected when you use FastBindLdapAuthenticationHandler.
Thanks for confirming my initial analysis. > It's hard to call this a vulnerability, which is probably why they didn't > release it as such. More like, "here's CAS v3.5.3 which fixes a security > related bug." Well, I woke up a bit late this morning and found an announcement in my inbox saying: "You must notice that there is a security fix for the "LDAP login with wilcards" attack (CVE-2015-1169). You must upgrade if you use LDAP authentication." That already has the buzzwords "security fix" and "must upgrade". Then I looked up the CVE, which includes the title "allows remote attackers to bypass LDAP authentication via crafted wildcards". How can anybody not reasonably interpret the two of those as "Oh shit my CAS servers are Swiss cheese and are going to allow unauthorized access to random people" 8-/? And then it turns out after a panicked investigation that only some LDAP configurations are vulnerable (not including mine), and even if vulnerable, other than some theoretical issue with confusing a client, there's really not much of a security problem going on. So rather than "MUST UPGRADE NOW!", It's more like "IF you use BindLdapAuthenticationHandler, you should probably upgrade soon to avoid potential as yet unknown issues". <sigh>. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user