===================================================================== CERT-Renater Note d'Information No. 2013/VULN025 _____________________________________________________________________ DATE : 11/01/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running phpCAS versions prior to 1.3.2. ====================================================================== https://listes.esup-portail.org/sympa/arc/phpcas-users/2012-12/msg00000.html ______________________________________________________________________ Dear CAS Community, we are pleased to announce the new 1.3.2 release [1] for phpCAS. This release fixes one security issue: (CVE-2012-5583)[5]: Due to a wrong use of the curl library phpCAS did not properly validate the cas servers CN in an SSL certificate.[4] This could allow an attacker to assume the role of the CAS server if he is able to manipulate the network (DNS, routing etc.) to reroute all validation request to his own CAS server. The release also fixes various other minor bugs. For details please refer to the Changelog[2] and the issues list on github [5]. Please also have a look at the Upgrading documentation [3] if you run into any trouble during an upgrade. Thanks to everyone who contributed, reported the issues and made this release possible. Cheers, Joachim [1] http://downloads.jasig.org/cas-clients/php/1.3.2/ [2] https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog [3] https://github.com/Jasig/phpCAS/blob/master/docs/Upgrading [4] https://github.com/Jasig/phpCAS/pull/58 [5 ]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5583 ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================