Your message dated Mon, 07 Nov 2022 08:34:37 +0000 with message-id <e1orxax-005tmy...@fasolo.debian.org> and subject line Bug#1023571: fixed in php-cas 1.6.0-1 has caused the Debian Bug report #1023571, regarding php-cas: CVE-2022-39369: Service Hostname Discovery Exploitation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023571 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-cas Version: 1.3.8-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.3.6-1 Hi, The following vulnerability was published for php-cas. CVE-2022-39369[0]: | phpCAS is an authentication library that allows PHP applications to | easily authenticate users via a Central Authentication Service (CAS) | server. The phpCAS library uses HTTP headers to determine the service | URL used to validate tickets. This allows an attacker to control the | host header and use a valid ticket granted for any authorized service | in the same SSO realm (CAS server) to authenticate to the service | protected by phpCAS. Depending on the settings of the CAS server | service registry in worst case this may be any other service URL (if | the allowed URLs are configured to "^(https)://.*") or may be strictly | limited to known and authorized services in the same SSO federation if | proper URL service validation is applied. This vulnerability may allow | an attacker to gain access to a victim's account on a vulnerable | CASified service without victim's knowledge, when the victim visits | attacker's website while being logged in to the same CAS server. | phpCAS 1.6.0 is a major version upgrade that starts enforcing service | URL discovery validation, because there is unfortunately no 100% safe | default config to use in PHP. Starting this version, it is required to | pass in an additional service base URL argument when constructing the | client class. For more information, please refer to the upgrading doc. | This vulnerability only impacts the CAS client that the phpCAS library | protects against. The problematic service URL discovery behavior in | phpCAS < 1.6.0 will only be disabled, and thus you are not impacted | from it, if the phpCAS configuration has the following setup: 1. | `phpCAS::setUrl()` is called (a reminder that you have to pass in the | full URL of the current page, rather than your service base URL), and | 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is | enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, | `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded- | Protocol` is sanitized before reaching PHP (by a reverse proxy, for | example), you will not be impacted by this vulnerability either. If | your CAS server service registry is configured to only allow known and | trusted service URLs the severity of the vulnerability is reduced | substantially in its severity since an attacker must be in control of | another authorized service. Otherwise, you should upgrade the library | to get the safe service discovery behavior. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39369 https://www.cve.org/CVERecord?id=CVE-2022-39369 [1] https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-cas Source-Version: 1.6.0-1 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of php-cas, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated php-cas package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 07 Nov 2022 08:40:18 +0100 Source: php-cas Architecture: source Version: 1.6.0-1 Distribution: unstable Urgency: medium Maintainer: Yadd <y...@debian.org> Changed-By: Yadd <y...@debian.org> Closes: 1023571 Changes: php-cas (1.6.0-1) unstable; urgency=medium . [ Debian Janitor ] * Bump debhelper from old 12 to 13. * Set field Upstream-Contact in debian/copyright. * Set upstream metadata fields: Bug-Submit. * Remove obsolete fields Contact, Name from debian/upstream/metadata (already present in machine-readable debian/copyright). * Update standards version to 4.5.1, no changes needed. . [ Yadd ] * Fix debian/watch * New upstream release (Closes: #1023571, CVE-2022-39369) * Update standards version to 4.6.1, no changes needed. Checksums-Sha1: 62aa6456de7255c882a65d78f825fa20575c7367 1838 php-cas_1.6.0-1.dsc 8f79f97c5a1dd710918a8fd681f5abe27d7da881 75385 php-cas_1.6.0.orig.tar.gz 1e0c091a40e8815f8e41bbf0eeb30404013dea3b 4196 php-cas_1.6.0-1.debian.tar.xz Checksums-Sha256: 655383bd3e483c8de6b92c4fa7d8030b94495ce98e34f9b751332ff44e12e638 1838 php-cas_1.6.0-1.dsc 11bdd41c7a4d3c90c8039588763ceac0633bc4732e1e04664f816a7d8a3cc2ff 75385 php-cas_1.6.0.orig.tar.gz 41dfbcd8db2988614c4b2d75bc0919112f267d3dab1df5bc197bbfd667798432 4196 php-cas_1.6.0-1.debian.tar.xz Files: 166b03c689d57f9c684b0c874b1fdfac 1838 php optional php-cas_1.6.0-1.dsc 71182d1c0dc75509a8545264f71e1fbe 75385 php optional php-cas_1.6.0.orig.tar.gz 208a68ca64cd6de08263b387d8fd4b87 4196 php optional php-cas_1.6.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmNotvoACgkQ9tdMp8mZ 7ukW7w//fhk8vRAURZGU5+ybt/UAnMQ5AG19wSREmZfu8sWtddraRKT03nhcnw78 yOMhTuDLUhfAJrSZCLvu4h2XK5hpHzXrm9kjskEv3vpLf/Uq2PVT1QXwzgJWuItu vVHPp8M1o5pHyZC4wJE78NhkFDhBaTqy3JpJJoKF/a2Si1c+AkAMOsDDABbj1RAr 1sa4BAqsxVx7D7yXO4X1j4gZXiL7OgBqRY+DkpTrCZG3PMeaqQGWvyTUyC2dZSFa EUITCCRHbGySU65PL4Q5D4PjoYVN+wJ9DWsxOlIf+b3rteCeYogTTsTytW+14edy dRNXv8Ww5tvp6bpVuK79LiLWhvdI2/eYy3ojxR6bH74L6WqPr5zO2iMiAvdQMFFI ehewppEThEHswyyPjSVfxqW592C41o1G1D0RtpqY1G4KjG5TIDZAzWrcGbMh9FqV QZJ6fsK0PZiErd2b4+mFUTO7qkyBOcg5Q+mHuXmu1vgXd9z9ivcAdc+0wwvV4xR3 wFIqIN3AkL/z7ZmOEDy8RvVsZZ+bpMF5199V8ZaO/uC88AVVJ7QhhrSJMsfEpAQZ BWbCIpUlkdXrnRkE98O60b85ClOkMcIjoj8i8v4UrnVY7Nczv6WhxmuWwxIK2jml zv8LNx54ZfjupJFMkE4J8nUKBZ1AuH8iq8nS7CE20FXft1kMC50= =ZnEH -----END PGP SIGNATURE-----
--- End Message ---
