1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted php-cas 1.3.8-1+deb11u1 (source) into oldstable-proposed-updat

    From Debian FTP Masters@21:1/5 to All on Fri Aug 16 22:50:03 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Thu, 11 Jul 2024 10:16:11 +0000
    Source: php-cas
    Architecture: source
    Version: 1.3.8-1+deb11u1
    Distribution: bullseye
    Urgency: medium
    Maintainer: Xavier Guimard <yadd@debian.org>
    Changed-By: Bastien Roucariès <rouca@debian.org>
    Closes: 1023571
    Changes:
    php-cas (1.3.8-1+deb11u1) bullseye; urgency=medium
    .
    * Security upload
    * Fix CVE-2022-39369: The phpCAS library uses HTTP headers
    to determine the service URL used to validate tickets.
    This allows an attacker to control the host header
    and use a valid ticket granted for any authorized service in the same
    SSO realm (CAS server) to authenticate to the service protected by
    phpCAS. Depending on the settings of the CAS server service registry in
    worst case this may be any other service URL (if the allowed URLs are
    configured to "^(https)://.*") or may be strictly limited to known and
    authorized services in the same SSO federation if proper URL service
    validation is applied.
    The fix for this vulnerabilty requires an API breaking change
    in php-cas and will require that software using the library be updated.
    (Closes: #1023571)
    Checksums-Sha1:
    4a00d8a7cd056abcbe8e88cc1eec5aea4c6e5fea 1908 php-cas_1.3.8-1+deb11u1.dsc
    a1083b8ec02c4f43ba8aaee2b696fafff8c1e567 68707 php-cas_1.3.8.orig.tar.gz
    d3fec4fb45058eb9d024889abf660cad0212f7c2 10704 php-cas_1.3.8-1+deb11u1.debian.tar.xz
    3ecbec2239b14f3517cbaaf4c6f5170355414401 6752 php-cas_1.3.8-1+deb11u1_amd64.buildinfo
    Checksums-Sha256:
    6a437287439434ffd7f792286d2ba0e417b5e11c885caac416c88b516c500f07 1908 php-cas_1.3.8-1+deb11u1.dsc
    aa7e7b9d1a4627ccede66a76ba22391654ef2288724769de0a9a37b47a4b50e1 68707 php-cas_1.3.8.orig.tar.gz
    8411e15bc38b5151f2bb6402c8f2b8a9a85db2258ef5b54be0ecfd0ea4ff050e 10704 php-cas_1.3.8-1+deb11u1.debian.tar.xz
    ae1682e0d4e9dfb2c9a0a3a03df02a56a1a22e6737ab68ca31901b9448ec765e 6752 php-cas_1.3.8-1+deb11u1_amd64.buildinfo
    Files:
    c4dac589a1013c303a3bdfb03340fa06 1908 php optional php-cas_1.3.8-1+deb11u1.dsc
    94b4a0172d898c11bcb7ada8e33442f7 68707 php optional php-cas_1.3.8.orig.tar.gz
    8f8ef1d6a9cbc5120a111c02b85318f2 10704 php optional php-cas_1.3.8-1+deb11u1.debian.tar.xz
    6df8b0bcd289d89120b9b63f2f75707c 6752 php optional php-cas_1.3.8-1+deb11u1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAma9HGERHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF8B+A//Uy1bRV9m53itkkRSiPAlqZi6o6iRDr2I liVsrr2brP+X/HSGJzWJFccQ7IkvsaZD7tI9trkX7maYRseHzSgAKSaoIfJgpCtI Wq6j2So7U1mMSakxBlEc5Bf+mVRZufrzfWjGXHFiLLCeGVPaVsrPkGTgmb7/B+c3 EYBeoqGyq10tDakC6b2jH8OM/FtnoeTWKykVk44RSwyQTCFBwA/yG7dNOH1owUeC qGgzB0C0/6xc01Vc0/Lk9MxF2Y+ibXsBGOhjWMZ+5yKjjbEBuPU42lp4so1ioUD3 RIWEj0xMhPUXwFbRfRJdcTig2ISxOyg2clKHcqqvxs8dydkg+zN1NSE4L8bLBcnJ 08rjdDfZqpyOB5a6W6hEiXfy9i+GCUk+/E2BltQ71kIehJXA0zixqqE5Wgf62xqx DvxzFQFoKSX3wdQyszxDXleUUxZhPN7w5TlOBBCY+txFMXtG+okEh8si+9otF9Z0 /IdQw76gEs/f0sInCoe3/sk+k3DRuL1jkFfUWl4Li+B1l7qTJdcRC/3ntYSAfjqe VPDQXzjC8JhJ3eVfUvztL9b+8E0zdhsMDE7WkUS+Rj+Ec0fTZOCz8ydGUC6S11AE YxXqH4ssHhCp7pa8OlbNANlW/IDmFUjD+saMr5jfbgSyksul5AY7EQmIesX9jwvr
    zccibxduPn8=
    =L3PQ
    -----END PGP SIGNATURE-----


    --==============I74661323010114180=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZr+64wAKCRCb9qggYcy5 IcgJAQC+6E7tqcBfRfw0vtTEhbwzqruFYJypBO9dhRwRP+IejAD+IVuqwOmZ3qpV kJ9fchyCqgjVmM+4Rsfctk6XRbtAiA4=mNXH
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)