Wednesday, July 31, 2024

[USN-6913-2] phpCAS vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7
IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP
gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ
cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q
J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz
kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0
cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh
BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC
SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN
0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO
Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo
IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU
H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI
ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F
YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL
qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi
WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z
RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y
bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6
rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX
0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G
i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg
iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx
5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU
d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk=
=SlBa
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmaqiccFAwAAAAAACgkQcDqtkQRs125o
cQgA1bxOb9fIB08u7hkWdJCzUeu9x3lgIFRpQVrIORcLVtYr92RS/tE9Ng+5STojPOQFzJUEgY8x
vi/dUJAgfkRLQe96Yi+eph7LpshNph0SZePy5NJd55k+4efZTVRMJNQEL5henrtkNMg+K2i70Tte
ov/nXkX9BHluSYP6XrPqXcB2yEsYkWcUP5lfTV1o5hAk8Gfe0BIc8uL3mi1djGrdVMxqJL9Sr+/R
PJES+oqV5h7sHVaABvrMHTW0B+qYA+kWUg5CKxSjXaJyKdnubKeZBZg7/CasuU2xqFKLfElahaJ/
V8Ad2Am4iBMWBMi7RqVsIllmhZHJuqr4kOeTE1v03A==
=EUuC
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6913-2
July 31, 2024

php-cas vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

phpCAS was vulnerable to an authentication bypass.

Software Description:
- php-cas: Central Authentication Service client library in php

Details:

USN-6913-1 fixed CVE-2022-39369 for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
This update provides the corresponding fix for Ubuntu 16.04 LTS.

Original advisory details:

Filip Hejsek discovered that phpCAS was using HTTP headers to determine
the service URL used to validate tickets. A remote attacker could
possibly use this issue to gain access to a victim's account on a
vulnerable CASified service.

This security update introduces an incompatible API change. After applying
this update, third party applications need to be modified to pass in an
additional service base URL argument when constructing the client class.

For more information please refer to the section
"Upgrading 1.5.0 -> 1.6.0" of the phpCAS upgrading document:

https://github.com/apereo/phpCAS/blob/master/docs/Upgrading

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
php-cas 1.3.3-2ubuntu1+esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6913-2
https://ubuntu.com/security/notices/USN-6913-1
CVE-2022-39369

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)