Debian 10: DLA-3485-1 Critical: php-CAS Account Access Issue
debian lts
July 8, 2023
A vulnerability has been found in phpCAS, a Central Authentication Service client library in php, which may allow an attacker to gain access to a victim's account on a vulnerable C...
Topics Covered
Summary
The fix for this vulnerabilty requires an API breaking change in php-cas
and will require that software using the library be updated.
For buster, all packages in the Debian repositories which are using
php-cas have been updated, though additional manual configuration is to
be expected, as php-cas needs additional site information -- the service
base URL -- for it to function. The DLAs for the respective packages
will have additional information, as well as the package's NEWS files.
For 3rd party software using php-cas, please be note that upstream
provided following instructions how to update this software [1]:
phpCAS now requires an additional service base URL argument when constructing
the client class. It accepts any argument of:
1. A service base URL string. The service URL discovery will always use this
server name (protocol, hostname and port number) without using any external
host names.
2. An array of service base URL strings. The service URL discovery will check
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php-cas
Version: 1.3.6-1+deb10u1
CVE ID: CVE-2022-39369
Debian Bug: 1023571
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!