Hi. Thijs Kinkhorst <th...@debian.org> writes:
> The security update in 1.3.1-2 broke php-cas. The problem is in this hunk: > > @@ -2418,6 +2428,7 @@ class CAS_Client > } > if ($this->_cas_server_ca_cert != '') { > $request->setSslCaCert($this->_cas_server_ca_cert); > + $request->setSslCaCert($this->_cas_server_cn_validate); > } > > // add extra stuff if SAML > > As you can see, the code now sets setSslCaCert first with the correct CA > cert, but then sets it again with a boolean value. This makes all CA > validation fail and thus renders php-cas unusable. > > The intended change, which is also upstream, is what is in attached patch. > Can you provide a fixed package? Let me know if my help is needed. > Thanks for testing and reporting. I've updated and uploaded the package. As you can see in [0], I've integrated the full upstream commit [1] and not just the change on Client.php. Hope this helps. I'll make sure this transitions in testing/wheezy too. Best regards, [0] http://anonscm.debian.org/gitweb/?p=users/obergix/phpcas.git;a=shortlog;h=refs/heads/debian-1.3.1 [1] https://github.com/Jasig/phpCAS/commit/0e75d13385c0480d24512e5ea7dbb69863609b43 -- Olivier BERGER (OpenPGP: 4096R/7C5BB6A5) http://www.olivierberger.com/weblog/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org