php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=medium

  * A vulnerability has been found in phpCAS, a Central Authentication
    Service client library in php, which may allow an attacker to gain
    access to a victim's account on a vulnerable CASified service without
    victim's knowledge, when the victim visits attacker's website while
    being logged in to the same CAS server.

    The fix for this vulnerabilty requires an API breaking change in php-cas
    and will require that software using the library be updated.

    For bullseye, all packages in the Debian repositories which are using
    php-cas have been updated, though additional manual configuration is to
    be expected, as php-cas needs additional site information -- the service
    base URL -- for it to function. The DLAs for the respective packages
    will have additional information, as well as the package's NEWS files.

    For 3rd party software using php-cas, please be note that upstream
    provided following instructions how to update this software [1]:

    phpCAS now requires an additional service base URL argument when
    constructing the client class. It accepts any argument of:

    1. A service base URL string. The service URL discovery will always use
       this server name (protocol, hostname and port number) without using
       any external host names.
    2. An array of service base URL strings. The service URL discovery
       will check against this list before using the auto discovered base URL.
       If there is no match, the first base URL in the array will be used as
       the default. This option is helpful if your PHP website is accessible
       through multiple domains without a canonical name, or through both
       HTTP and HTTPS.
    3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
       customize the base URL discovery behavior, you can pass in a class that
       implements the interface.

    Constructing the client class is usually done with phpCAS::client().

    For example, using the first possiblity:
     phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
  could become:
    phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, "https://casified-service.example.org:8080";);

 -- Bastien Roucariès <rouca@debian.org>  Thu, 11 Jul 2024 10:17:22 +0000