Ubuntu alert USN-6913-1 (php-cas)
| From: | Federico Quattrin <federico.quattrin@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-6913-1] phpCAS vulnerability | |
| Date: | Wed, 24 Jul 2024 20:57:20 -0300 | |
| Message-ID: | <0ac6afe8-d63b-480a-80f6-21310ffc3ec2@canonical.com> |
========================================================================== Ubuntu Security Notice USN-6913-1 July 24, 2024 php-cas vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: phpCAS was vulnerable to an authentication bypass. Software Description: - php-cas: Central Authentication Service client library in php Details: Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a vulnerable CASified service. This security update introduces an incompatible API change. After applying this update, third party applications need to be modified to pass in an additional service base URL argument when constructing the client class. For more information please refer to the section "Upgrading 1.5.0 -> 1.6.0" of the phpCAS upgrading document: https://github.com/apereo/phpCAS/blob/master/docs/Upgrading Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS php-cas 1.3.8-1ubuntu0.22.04.1 Ubuntu 20.04 LTS php-cas 1.3.8-1ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6913-1 CVE-2022-39369 Package Information: https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubunt... https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubunt...
Attachment: OpenPGP_0x703AAD91046CD76E.asc (type=application/pgp-keys)
-----BEGIN PGP PUBLIC KEY BLOCK----- xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7 IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0 cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN 0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6 rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX 0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx 5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk= =SlBa -----END PGP PUBLIC KEY BLOCK-----
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmahlOAFAwAAAAAACgkQcDqtkQRs127O FAf9FIZfT7mfKGwRTTMMhavx+sS6YCl3l/92gyEP32/Z9qZGWrc0dNW5F8D3T1AazK/4W/DQOEQP jG9Zx1/ATqtksnmlnRYxwAu4/8w5XZxDeBYhH7fosKUIZWhLQiNZnDieL917i2FykOabiRagP9CK ooLAoDhhP2c3ThtVl/QjmGScsUd/JkLT73hP5OA5mlzdnPa36+Zw8lfijDA1eu3Z8UZ3oDws+9kd zUf1s/TM2Gwl1owVZ+nyYTeVfKisFhUgCG1Dedne41o4+iYk4/tJqnpKqh32ODiUuUGplr+R64P2 1oOMQu/m4YU0jf/OjQpxPw9PsVZsvS9VO41XSh6JQQ== =l0ho -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)