-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Jul 2024 10:16:11 +0000
Source: php-cas
Binary: php-cas
Architecture: all
Version: 1.3.8-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 php-cas    - Central Authentication Service client library in php
Closes: 1023571
Changes:
 php-cas (1.3.8-1+deb11u1) bullseye; urgency=medium
 .
   * Security upload
   * Fix CVE-2022-39369: The phpCAS library uses HTTP headers
     to determine the service URL used to validate tickets.
     This allows an attacker to control the host header
     and use a valid ticket granted for any authorized service in the same
     SSO realm (CAS server) to authenticate to the service protected by
     phpCAS.  Depending on the settings of the CAS server service registry in
     worst case this may be any other service URL (if the allowed URLs are
     configured to "^(https)://.*") or may be strictly limited to known and
     authorized services in the same SSO federation if proper URL service
     validation is applied.
     The fix for this vulnerabilty requires an API breaking change
     in php-cas and will require that software using the library be updated.
     (Closes: #1023571)
Checksums-Sha1:
 ad2f010eec2f3c7c64d50e7b28bb2419a15f9853 6474 php-cas_1.3.8-1+deb11u1_all-buildd.buildinfo
 6e397ad0d284847294884c92fa7f288740f20252 58108 php-cas_1.3.8-1+deb11u1_all.deb
Checksums-Sha256:
 4619c62c316a2f2afc742c72a43ae10b158682365dcbc098d5ec82075663afe3 6474 php-cas_1.3.8-1+deb11u1_all-buildd.buildinfo
 5877d6f480c778068b0f553ba22d2222afa0b64368defdc6f42554e270d94080 58108 php-cas_1.3.8-1+deb11u1_all.deb
Files:
 7afeef0c36a2ad6cdfe3a36b381c30c2 6474 php optional php-cas_1.3.8-1+deb11u1_all-buildd.buildinfo
 84e4d835b8a70b5a12533e5ec8c2bf29 58108 php optional php-cas_1.3.8-1+deb11u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEzcbx6nIE/ydHa1FFigL77i1GSVkFAma/w+YACgkQigL77i1G
SVnwWA/+JI0G+dEM63bYPKYZLIiO52sTrMzhjk/BOk1KEt9BwuJA13+jOv3M/ZK0
vuQoeX0Vgc34lCtL5+WcU5b7z1e+ecKw3Ay2YHQ0e2ZOCxXd2guQrRvkOuIu+s7W
ebo9kkP/HZ4nPV/Ao0Eh1UkMPztw9T1Hkd3ryL1tyghDeCc/BVYhLzJWaBkPijgC
srZRecd1y4qgQ4UVIKuZBps8DzwxmLHoM/M1A9IwwR1CrSJKVDIOFxTL2lrkwRXd
HRLF88WQ1mTv+slSKLNUG4gLrZi4whpRTsaylLUpzeY6COmxPhw2vFxpYP71H67v
uj4YeLmvW5cGCFx6A13x1KNIPShVrSuS34iIgLd4dw3OAQ5jKVcVvUNPaFpgjkXO
7d2Wd3mjP6w9jnQoc6eZcEhSDQVTb7RARSDvFc+XgAPtVDlMFzO197A6FfuhiigZ
qWSL40uf1RcOuWEZzYsOP4/FYpmn66TOMHUu/TCXAyZrgbfbCqYZ6hXaL+oApVfF
pKyjUylaZG+6l8tRPzKYjt+9dG1VbIjC1qW8ozrPT+ATinh+uajv3sfENejkNOYQ
HKxoB7FbnhghOmp6ZUyH2gAjpv8kxph8gB+kf939zSEuns/A48h988D0VO1Fz51q
2NNawcf2qzXHST/EdZwSBrf/7gIDxOpRZALezAP8/Eeddj9vbDk=
=HJrh
-----END PGP SIGNATURE-----