Debian Bug report logs -
#868466
php-cas: CVE-2017-1000071
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#868466; Package src:php-cas.
(Sat, 15 Jul 2017 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>.
(Sat, 15 Jul 2017 19:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-cas
Version: 1.3.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Jasig/phpCAS/issues/228
Hi,
the following vulnerability was published for php-cas.
CVE-2017-1000071[0]:
| Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass
| in the validateCAS20 function when configured to authenticate against
| an old CAS server.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000071
[1] https://github.com/Jasig/phpCAS/issues/228
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 20 Jul 2017 17:51:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#868466; Package src:php-cas.
(Fri, 08 Feb 2019 22:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Fri, 08 Feb 2019 22:18:05 GMT) (full text, mbox, link).
Message #12 received at 868466@bugs.debian.org (full text, mbox, reply):
On Sat, Jul 15, 2017 at 09:06:41PM +0200, Salvatore Bonaccorso wrote:
> Source: php-cas
> Version: 1.3.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/Jasig/phpCAS/issues/228
>
> Hi,
>
> the following vulnerability was published for php-cas.
>
> CVE-2017-1000071[0]:
> | Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass
> | in the validateCAS20 function when configured to authenticate against
> | an old CAS server.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Fixed in https://github.com/apereo/phpCAS/commit/c9ba00327fd0ac8faecc62ce150c1986022856cd
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Fri, 08 Feb 2019 22:18:06 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Sun, 10 Feb 2019 09:33:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Feb 2019 09:33:06 GMT) (full text, mbox, link).
Message #19 received at 868466-close@bugs.debian.org (full text, mbox, reply):
Source: php-cas
Source-Version: 1.3.6-1
We believe that the bug you reported is fixed in the latest version of
php-cas, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated php-cas package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Feb 2019 09:29:07 +0100
Source: php-cas
Binary: php-cas
Architecture: source
Version: 1.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Xavier Guimard <yadd@debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 868466
Description:
php-cas - Central Authentication Service client library in php
Changes:
php-cas (1.3.6-1) unstable; urgency=medium
.
* Update debian/watch
* New upstream version 1.3.6 (Closes: #868466, CVE-2017-1000071)
* Bump debhelper compatibility level to 11
* Declare compliance with policy 4.3.0
* Set me as maintainer (See: #757231)
* Drop old patches
* Update install
* Drop debian/examples
* Update docs
* Update debian/copyright
* Update VCS fields to salsa
* Add upstream/metadata
* Clean debian/rules
* Fix description
* Update homepage
Checksums-Sha1:
d94df04dc9e389ac2aecbc560efd36e4917bf9e9 1853 php-cas_1.3.6-1.dsc
5b79a351d6ef04515e2d5a0b2e6cbd89dcc950fb 68029 php-cas_1.3.6.orig.tar.gz
11c788d760cec0308df08b62649537c12d8571e1 3924 php-cas_1.3.6-1.debian.tar.xz
Checksums-Sha256:
273b82abb062ec8c38f6986bf615218696b65b842cd3d25fa75581faa31d19ff 1853 php-cas_1.3.6-1.dsc
afeb6d568aa06798c1311e3b1c097795071a1c6099eeb56ac513ce1a9d972637 68029 php-cas_1.3.6.orig.tar.gz
90d61d99bee2b07de3b2ade960ff7c78358c142d8f2b7902d751538705bf227b 3924 php-cas_1.3.6-1.debian.tar.xz
Files:
ee002159bf774fd3e36564aca9d39553 1853 php optional php-cas_1.3.6-1.dsc
e3d2b078fadd00f0d5c8d187b11fd592 68029 php optional php-cas_1.3.6.orig.tar.gz
c81ac817914f039523e60be2fc0fa2e1 3924 php optional php-cas_1.3.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlxf5x8ACgkQ9tdMp8mZ
7unZQRAAlIS9qMrqeZ/ysdTHGbkkMMalWSt0vp42sAfX6oVk8Gu1urx2nDEVv/Yc
/6CfIC2PMzEevORulwvxXR0hTVWiWZBSbTPVp39c/bagcfybu2eDwJaDDvY7TqLp
TDJ3Gyxo3gsHH3f2ra+7SPCYec5/Ek5UX99KVrs8XREqAMHsKgZskjFM1CXdmfHo
F8n4PfstdpJBIymju3WjH6ZfMl7caCMlm48DprZL7W2i4RJAbVIduE1GW+hDLiUK
ofl0Ob6eF4rknHg7IgWfWNJkRwPFi6E0xI4JXK96pw3LNUkwd5oKcVZJTOD/qYZm
zc9OQiF0Xx1gI/2QtJz7xxyzllmHwXcjs2q8mWLT1FYiv2LoGrP6BVJAyJ/Q4rfi
gkrmnihwOZ+nsvTefX/dTEbrnJrI3iOm+/onVNLsiNWhE8j4WvWONFLF0PMUn4HK
SGZJYyzCLzZhjTl+zzeaylAfqssZhkkjT3R6DTNt9fTUBQiIpAYX39oFRKDvHjvg
dQFH0Q+g+ySCIuE53cSIH1TCRCeput9yfTgMINCrK8afOU6VcLOCQADTKpIqJIZC
nTG+Hs3wAMoR1xFaz7MnitZ+KkQMm0Y9U5xdTIxcQWvNEuvhYJ6mf3gQ15i1TpIo
pBxk+lUqQuTOnWTpq9JhPlZQ9K5IVYP6Yob1JudULAZX5/VRQXU=
=Ytfv
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:25:59 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon