Bug 20722 - php-pear-CAS new security issues fixed upstream in 1.3.5
Summary: php-pear-CAS new security issues fixed upstream in 1.3.5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-23 00:23 CEST by David Walser
Modified: 2017-08-21 22:28 CEST (History)
5 users (show)

See Also:
Source RPM: php-pear-CAS-1.3.4-4.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-23 00:23:19 CEST 
Fedora has issued an advisory on April 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2THFM2BPR5YGBE42CTAPCAUVZ77UDLYF/

Mageia 5 is also affected.
David Walser 2017-04-23 00:23:25 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-23 01:39:21 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Nicolas Lécureuil 2017-04-24 11:56:59 CEST

Version: Cauldron => 5
CC: (none) => mageia
Whiteboard: MGA5TOO => (none)

Comment 2 Mike Rambo 2017-07-26 23:23:53 CEST 
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated php-pear-CAS package fixes security vulnerability:

It was discovered that php-pear-CAS contained a possible authentication bypass in validateCAS20.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2THFM2BPR5YGBE42CTAPCAUVZ77UDLYF/
https://github.com/apereo/phpCAS/issues/228
========================

Updated packages in core/updates_testing:
========================
php-pear-CAS-1.3.5-1.mga5.noarch.rpm

from php-pear-CAS-1.3.5-1.mga5.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => has_procedure
CC: (none) => mrambo

Comment 3 Lewis Smith 2017-08-20 22:09:10 CEST 
Testing M5-64 using Moodle - the only application directly using this package.
"This package is a PEAR installable library for using a Central Authentication Service."
Updated the pkg from : php-pear-CAS-1.3.3-4.mga5
to : php-pear-CAS-1.3.5-1.mga5
Trying Moodle (long installed & used for its own updates):
 http://localhost/moodle
Well, I was able to log in as administrator and add a couple of things. Moodle still works - within my complete lack of know-how of it. Oking; and since this is M5 only, validating as well. This has hung around for weeks.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 4 Lewis Smith 2017-08-21 21:59:42 CEST 
Advisory done from comment 2; but it lacks a CVE.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 5 Mageia Robot 2017-08-21 22:28:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0293.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.