Hi.
Thijs Kinkhorst <[email protected]> writes:
> The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:
>
> @@ -2418,6 +2428,7 @@ class CAS_Client
> }
> if ($this->_cas_server_ca_cert != '') {
> $request->setSslCaCert($this->_cas_server_ca_cert);
> + $request->setSslCaCert($this->_cas_server_cn_validate);
> }
>
> // add extra stuff if SAML
>
> As you can see, the code now sets setSslCaCert first with the correct CA
> cert, but then sets it again with a boolean value. This makes all CA
> validation fail and thus renders php-cas unusable.
>
> The intended change, which is also upstream, is what is in attached patch.
> Can you provide a fixed package? Let me know if my help is needed.
>
Thanks for testing and reporting.
I've updated and uploaded the package.
As you can see in [0], I've integrated the full upstream commit [1] and
not just the change on Client.php.
Hope this helps.
I'll make sure this transitions in testing/wheezy too.
Best regards,
[0]
http://anonscm.debian.org/gitweb/?p=users/obergix/phpcas.git;a=shortlog;h=refs/heads/debian-1.3.1
[1]
https://github.com/Jasig/phpCAS/commit/0e75d13385c0480d24512e5ea7dbb69863609b43
--
Olivier BERGER
(OpenPGP: 4096R/7C5BB6A5)
http://www.olivierberger.com/weblog/
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
