Package: php-cas Version: 1.3.1-2 Severity: grave Tags: patch Hi Olivier,
The security update in 1.3.1-2 broke php-cas. The problem is in this hunk: @@ -2418,6 +2428,7 @@ class CAS_Client } if ($this->_cas_server_ca_cert != '') { $request->setSslCaCert($this->_cas_server_ca_cert); + $request->setSslCaCert($this->_cas_server_cn_validate); } // add extra stuff if SAML As you can see, the code now sets setSslCaCert first with the correct CA cert, but then sets it again with a boolean value. This makes all CA validation fail and thus renders php-cas unusable. The intended change, which is also upstream, is what is in attached patch. Can you provide a fixed package? Let me know if my help is needed. Thanks, Thijs -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (400, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- php-cas-1.3.1.orig/CAS-1.3.1/CAS/Client.php +++ php-cas-1.3.1/CAS-1.3.1/CAS/Client.php @@ -2427,8 +2427,7 @@ class CAS_Client phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.'); } if ($this->_cas_server_ca_cert != '') { - $request->setSslCaCert($this->_cas_server_ca_cert); - $request->setSslCaCert($this->_cas_server_cn_validate); + $request->setSslCaCert($this->_cas_server_ca_cert, $this->_cas_server_cn_validate); } // add extra stuff if SAML