Dear CAS Community,
we are pleased to announce the new 1.3.2 release [1] for phpCAS.
This release fixes one security issue: (CVE-2012-5583)[5]:
Due to a wrong use of the curl library phpCAS did not properly validate
the cas servers CN in an SSL certificate.[4] This could allow an
attacker to assume the role of the CAS server if he is able to
manipulate the network (DNS, routing etc.) to reroute all validation
request to his own CAS server.
The release also fixes various other minor bugs. For details please
refer to the Changelog[2] and the issues list on github [5]. Please also
have a look at the Upgrading documentation [3] if you run into any
trouble during an upgrade.
Thanks to everyone who contributed, reported the issues and made this
release possible.
Cheers,
Joachim
[1] http://downloads.jasig.org/cas-clients/php/1.3.2/
[2] https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
[3] https://github.com/Jasig/phpCAS/blob/master/docs/Upgrading
[4] https://github.com/Jasig/phpCAS/pull/58
[5 ]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5583
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
