Bug#868466: marked as done (php-cas: CVE-2017-1000071)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 10 Feb 2019 09:29:23 +0000
with message-id <E1gslQR-00020q-0o@fasolo.debian.org>
and subject line Bug#868466: fixed in php-cas 1.3.6-1
has caused the Debian Bug report #868466,
regarding php-cas: CVE-2017-1000071
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
868466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868466
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: php-cas: CVE-2017-1000071
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 15 Jul 2017 21:06:41 +0200
• Message-id: <150014560120.17618.5037438938746593825.reportbug@eldamar.local>

Source: php-cas
Version: 1.3.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Jasig/phpCAS/issues/228

Hi,

the following vulnerability was published for php-cas.

CVE-2017-1000071[0]:
| Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass
| in the validateCAS20 function when configured to authenticate against
| an old CAS server.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000071
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000071
[1] https://github.com/Jasig/phpCAS/issues/228

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 868466-close@bugs.debian.org
• Subject: Bug#868466: fixed in php-cas 1.3.6-1
• From: Xavier Guimard <yadd@debian.org>
• Date: Sun, 10 Feb 2019 09:29:23 +0000
• Message-id: <E1gslQR-00020q-0o@fasolo.debian.org>

Source: php-cas
Source-Version: 1.3.6-1

We believe that the bug you reported is fixed in the latest version of
php-cas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated php-cas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Feb 2019 09:29:07 +0100
Source: php-cas
Binary: php-cas
Architecture: source
Version: 1.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Xavier Guimard <yadd@debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 868466
Description: 
 php-cas    - Central Authentication Service client library in php
Changes:
 php-cas (1.3.6-1) unstable; urgency=medium
 .
   * Update debian/watch
   * New upstream version 1.3.6 (Closes: #868466, CVE-2017-1000071)
   * Bump debhelper compatibility level to 11
   * Declare compliance with policy 4.3.0
   * Set me as maintainer (See: #757231)
   * Drop old patches
   * Update install
   * Drop debian/examples
   * Update docs
   * Update debian/copyright
   * Update VCS fields to salsa
   * Add upstream/metadata
   * Clean debian/rules
   * Fix description
   * Update homepage
Checksums-Sha1: 
 d94df04dc9e389ac2aecbc560efd36e4917bf9e9 1853 php-cas_1.3.6-1.dsc
 5b79a351d6ef04515e2d5a0b2e6cbd89dcc950fb 68029 php-cas_1.3.6.orig.tar.gz
 11c788d760cec0308df08b62649537c12d8571e1 3924 php-cas_1.3.6-1.debian.tar.xz
Checksums-Sha256: 
 273b82abb062ec8c38f6986bf615218696b65b842cd3d25fa75581faa31d19ff 1853 php-cas_1.3.6-1.dsc
 afeb6d568aa06798c1311e3b1c097795071a1c6099eeb56ac513ce1a9d972637 68029 php-cas_1.3.6.orig.tar.gz
 90d61d99bee2b07de3b2ade960ff7c78358c142d8f2b7902d751538705bf227b 3924 php-cas_1.3.6-1.debian.tar.xz
Files: 
 ee002159bf774fd3e36564aca9d39553 1853 php optional php-cas_1.3.6-1.dsc
 e3d2b078fadd00f0d5c8d187b11fd592 68029 php optional php-cas_1.3.6.orig.tar.gz
 c81ac817914f039523e60be2fc0fa2e1 3924 php optional php-cas_1.3.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlxf5x8ACgkQ9tdMp8mZ
7unZQRAAlIS9qMrqeZ/ysdTHGbkkMMalWSt0vp42sAfX6oVk8Gu1urx2nDEVv/Yc
/6CfIC2PMzEevORulwvxXR0hTVWiWZBSbTPVp39c/bagcfybu2eDwJaDDvY7TqLp
TDJ3Gyxo3gsHH3f2ra+7SPCYec5/Ek5UX99KVrs8XREqAMHsKgZskjFM1CXdmfHo
F8n4PfstdpJBIymju3WjH6ZfMl7caCMlm48DprZL7W2i4RJAbVIduE1GW+hDLiUK
ofl0Ob6eF4rknHg7IgWfWNJkRwPFi6E0xI4JXK96pw3LNUkwd5oKcVZJTOD/qYZm
zc9OQiF0Xx1gI/2QtJz7xxyzllmHwXcjs2q8mWLT1FYiv2LoGrP6BVJAyJ/Q4rfi
gkrmnihwOZ+nsvTefX/dTEbrnJrI3iOm+/onVNLsiNWhE8j4WvWONFLF0PMUn4HK
SGZJYyzCLzZhjTl+zzeaylAfqssZhkkjT3R6DTNt9fTUBQiIpAYX39oFRKDvHjvg
dQFH0Q+g+ySCIuE53cSIH1TCRCeput9yfTgMINCrK8afOU6VcLOCQADTKpIqJIZC
nTG+Hs3wAMoR1xFaz7MnitZ+KkQMm0Y9U5xdTIxcQWvNEuvhYJ6mf3gQ15i1TpIo
pBxk+lUqQuTOnWTpq9JhPlZQ9K5IVYP6Yob1JudULAZX5/VRQXU=
=Ytfv
-----END PGP SIGNATURE-----

--- End Message ---