-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 Jul 2024 10:16:11 +0000 Source: php-cas Architecture: source Version: 1.3.8-1+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Xavier Guimard <yadd@debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1023571 Changes: php-cas (1.3.8-1+deb11u1) bullseye; urgency=medium . * Security upload * Fix CVE-2022-39369: The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. The fix for this vulnerabilty requires an API breaking change in php-cas and will require that software using the library be updated. (Closes: #1023571) Checksums-Sha1: 4a00d8a7cd056abcbe8e88cc1eec5aea4c6e5fea 1908 php-cas_1.3.8-1+deb11u1.dsc a1083b8ec02c4f43ba8aaee2b696fafff8c1e567 68707 php-cas_1.3.8.orig.tar.gz d3fec4fb45058eb9d024889abf660cad0212f7c2 10704 php-cas_1.3.8-1+deb11u1.debian.tar.xz 3ecbec2239b14f3517cbaaf4c6f5170355414401 6752 php-cas_1.3.8-1+deb11u1_amd64.buildinfo Checksums-Sha256: 6a437287439434ffd7f792286d2ba0e417b5e11c885caac416c88b516c500f07 1908 php-cas_1.3.8-1+deb11u1.dsc aa7e7b9d1a4627ccede66a76ba22391654ef2288724769de0a9a37b47a4b50e1 68707 php-cas_1.3.8.orig.tar.gz 8411e15bc38b5151f2bb6402c8f2b8a9a85db2258ef5b54be0ecfd0ea4ff050e 10704 php-cas_1.3.8-1+deb11u1.debian.tar.xz ae1682e0d4e9dfb2c9a0a3a03df02a56a1a22e6737ab68ca31901b9448ec765e 6752 php-cas_1.3.8-1+deb11u1_amd64.buildinfo Files: c4dac589a1013c303a3bdfb03340fa06 1908 php optional php-cas_1.3.8-1+deb11u1.dsc 94b4a0172d898c11bcb7ada8e33442f7 68707 php optional php-cas_1.3.8.orig.tar.gz 8f8ef1d6a9cbc5120a111c02b85318f2 10704 php optional php-cas_1.3.8-1+deb11u1.debian.tar.xz 6df8b0bcd289d89120b9b63f2f75707c 6752 php optional php-cas_1.3.8-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAma9HGERHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF8B+A//Uy1bRV9m53itkkRSiPAlqZi6o6iRDr2I liVsrr2brP+X/HSGJzWJFccQ7IkvsaZD7tI9trkX7maYRseHzSgAKSaoIfJgpCtI Wq6j2So7U1mMSakxBlEc5Bf+mVRZufrzfWjGXHFiLLCeGVPaVsrPkGTgmb7/B+c3 EYBeoqGyq10tDakC6b2jH8OM/FtnoeTWKykVk44RSwyQTCFBwA/yG7dNOH1owUeC qGgzB0C0/6xc01Vc0/Lk9MxF2Y+ibXsBGOhjWMZ+5yKjjbEBuPU42lp4so1ioUD3 RIWEj0xMhPUXwFbRfRJdcTig2ISxOyg2clKHcqqvxs8dydkg+zN1NSE4L8bLBcnJ 08rjdDfZqpyOB5a6W6hEiXfy9i+GCUk+/E2BltQ71kIehJXA0zixqqE5Wgf62xqx DvxzFQFoKSX3wdQyszxDXleUUxZhPN7w5TlOBBCY+txFMXtG+okEh8si+9otF9Z0 /IdQw76gEs/f0sInCoe3/sk+k3DRuL1jkFfUWl4Li+B1l7qTJdcRC/3ntYSAfjqe VPDQXzjC8JhJ3eVfUvztL9b+8E0zdhsMDE7WkUS+Rj+Ec0fTZOCz8ydGUC6S11AE YxXqH4ssHhCp7pa8OlbNANlW/IDmFUjD+saMr5jfbgSyksul5AY7EQmIesX9jwvr zccibxduPn8= =L3PQ -----END PGP SIGNATURE-----