CAS Server 3.4.11 Release

The CAS development team is pleased to announce the release of 3.4.11.  This is a maintenance release and includes bug fixes, security patches, and minor improvements.  It should be a drop-in replacement for overlays built against 3.4.10 except for a minor change to JPA configuration.

Release highlights:

  • Security fix to prevent CRLF attack vector in service parameter (CAS-1064)
  • Fix for JPA deadlocks (CAS-1051)
  • JPA-based locking strategy for HA ticket cleanup (CAS-930)
  • LDAP fixes and improvements (CAS-1055, CAS-1047)
  • UI fixes and improvements (CAS-1029, CAS-1040, CAS-1035, CAS-1036, CAS-1043)

Please see the release notes for a full description of changes.

We would like to thank all the developers who contributed to this release, in particular Travis Emmert and Bucky Spires of Veracode who reported the CRLF vulnerability.

This release is recommended for ALL deployers, and can be downloaded from the CAS Server 3.4.11 download page.