Hello Everyone,
I have googled the issue, but I was wondering if any has a more specific
answer .
I have a CAS 3.4.10 Running Tomcat 7.0 and Java 1.7.0.
I need to disable the SSLv3, and Enable TLSv1.0 TLSv1.1. TLV Sv1.2.
Also, to Configure Forward Secrecy and apply the correct cipher suite.
Any
> From: J. Tozo
> Sent: Thursday, January 22, 2015 1:06 PM
>
> Its can be considered a minor weakness because it makes easier to
> successfully
You know what you don't do for a "minor weakness"? Publish a CVE with a title
including "allows remote attackers to bypass LDAP authentication via craf
Nope, it's used whenever you have user accounts spread across multiple OUs in a
way that prevents easily computing the DN, thus requiring a search to locate
the desired object before authentication.
Best regards,
--
Carlos M. Fernández
Sr. Enterprise Systems Admin
Saint Joseph's University
W: 61
Isn't " BindLdapAuthenticationHandler " for connection pooling only?
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Paul B. Henson [mailto:hen...@csupomona.edu]
Sent: Thursday, January 22, 2015 4:41 PM
To: cas-user@lists.jasig.org
Subject: RE
> From: Andrew Morgan
> Sent: Thursday, January 22, 2015 12:42 PM
>
> You aren't effected when you use FastBindLdapAuthenticationHandler.
Thanks for confirming my initial analysis.
> It's hard to call this a vulnerability, which is probably why they didn't
> release it as such. More like, "here'
> From: Adam Causey
> Sent: Thursday, January 22, 2015 10:57 AM
>
> I am setting up a CAS proxy on a client that is clustered and am using the
> ehcache clustering option to distribute the PGTs between nodes.
Personally I would recommend the Hazelcast clustering option over the ehcache
mechanism
Hi,
Its can be considered a minor weakness because it makes easier to
successfully perpetrate a bruteforce attack. Using common passwords and
guessing the username using the wildcards.
A valid username and a password is required to you simulate if you system
have or not this vulnerability.
An
On Thu, 22 Jan 2015, Paul B. Henson wrote:
>> From: Jérôme LELEU Sent: Thursday, January 22, 2015 6:49 AM
>>
>> Yes indeed, you should upgrade to close the vulnerability if you use
>> LDAP authentication.
>
> You know, if you're going to announce a "holy crap upgrade now" security
> issue, it wo
> From: Jérôme LELEU
> Sent: Thursday, January 22, 2015 6:49 AM
>
> Yes indeed, you should upgrade to close the vulnerability if you use LDAP
> authentication.
You know, if you're going to announce a "holy crap upgrade now" security issue,
it would be nice to get a little advance notice that it'
I am setting up a CAS proxy on a client that is clustered and am using the
ehcache clustering option to distribute the PGTs between nodes. I am
trying to determine the cache size needed (maxEntriesLocalHeap setting) and
the TTL.
Are Proxy Granting Tickets reused, or are they one time use only?
I
On Thu, Jan 22, 2015 at 8:07 AM, Tiit Kaeeli wrote:
> Hi,
>
> For LDAP based group authorization on Apache, I tried to enable SAML
> support.
>
> http://permalink.gmane.org/gmane.comp.java.jasig.cas.user/26597
> notes, that
>
> mod_auth_cas 1.0.9.1 cannot parse the Value="saml1p:Success"/> part o
Carl,
Thank you for your reply and helpful hints. To answer your question, there is
no proxy.
I wanted to narrow the problem down to CAS/Tomcat or MySQL. I will be doing
some investigating of the latter. Thank you again.
#-Original Message-
#From: Waldbieser, Carl [mailto:waldb...@la
Yes indeed, you should upgrade to close the vulnerability if you use LDAP
authentication.
Best regards,
Jérôme LELEU
Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj
Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org
2015-01-22 14:47 GMT+01:00 Chris Chelten
You might try asking this on the mod-auth-cas-dev mailing list
(although I think some of the people on that list are also on this
list).
Milt Epstein
Applications Developer
Graduate School of Library and Information Science (GSLIS)
University of Illinois at Urbana-Champaign (UIUC)
mepst...@illinoi
Hello,
I just saw this in a CAS 3.5.3 update release note:
You must notice that there is a security fix for the "LDAP login with wilcards"
attack (CVE-2015-1169). You must upgrade if you use LDAP authentication
Are you saying one SHOULD upgrade if we use LDAP to CAS ver 3.5.3 to close the
vuln
Hi,
For LDAP based group authorization on Apache, I tried to enable SAML
support.
http://permalink.gmane.org/gmane.comp.java.jasig.cas.user/26597
notes, that
mod_auth_cas 1.0.9.1 cannot parse the part of this response.
To get around this, either use git master or use the patch from
https://
Hi,
I'm proud to announce the new release 4.0.1 of the CAS server. It's
available on the Maven Central repository:
http://search.maven.org/#artifactdetails%7Corg.jasig.cas%7Ccas-server-webapp%7C4.0.1%7Cwar
.
Here are the release notes: https://github.com/Jasig/cas/releases/tag/v4.0.1
.
Thanks.
B
Hi,
I'm proud to announce the new release 3.5.3 of the CAS server. It's
available on the Maven Central repository:
http://search.maven.org/#artifactdetails%7Corg.jasig.cas%7Ccas-server-webapp%7C3.5.3%7Cwar
.
Here are the release notes: https://github.com/Jasig/cas/releases/tag/v3.5.3
.
You must
18 matches
Mail list logo