Package: php-cas
Version: 1.3.1-2
Severity: grave
Tags: patch
Hi Olivier,
The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:
@@ -2418,6 +2428,7 @@ class CAS_Client
}
if ($this->_cas_server_ca_cert != '') {
$request->setSslCaCert($this->_cas_server_ca_cert);
+ $request->setSslCaCert($this->_cas_server_cn_validate);
}
// add extra stuff if SAML
As you can see, the code now sets setSslCaCert first with the correct CA
cert, but then sets it again with a boolean value. This makes all CA
validation fail and thus renders php-cas unusable.
The intended change, which is also upstream, is what is in attached patch.
Can you provide a fixed package? Let me know if my help is needed.
Thanks,
Thijs
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- php-cas-1.3.1.orig/CAS-1.3.1/CAS/Client.php
+++ php-cas-1.3.1/CAS-1.3.1/CAS/Client.php
@@ -2427,8 +2427,7 @@ class CAS_Client
phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
}
if ($this->_cas_server_ca_cert != '') {
- $request->setSslCaCert($this->_cas_server_ca_cert);
- $request->setSslCaCert($this->_cas_server_cn_validate);
+ $request->setSslCaCert($this->_cas_server_ca_cert, $this->_cas_server_cn_validate);
}
// add extra stuff if SAML
