Dear CAS Community,
we are pleased to announce the new 1.1.3 release [1] for phpCAS. This
release contains 3 security fixes for vulnerabilities in the proxy
callback mechanism. These vulnerabilities only affect phpCAS clients
that are running in proxy() mode.
The release is fully compatible with all versions 1.1.x versions.
The changes are:
Security Issue
* CVE-2010-3690 phpCAS: XSS during a proxy callback [PHPCAS-80] (Joachim
Fritschi)
* CVE-2010-3691 phpCAS: prevent symlink attacks during a proxy callback
[PHPCAS-80] (Joachim Fritschi)
* CVE-2010-3692 phpCAS: directory traversal during a proxy callback
[PHPCAS-80] (Joachim Fritschi)
Bug Fixes
* fix missing $this in domxml-php4-to-php5 [PHPCAS-73] (Iñaki Arenaza)
* fix broken redirection with safari [PHPCAS-79] (Alex Barker)
* fix missing exit() call during ticket validation [PHPCAS-76] (Igor
Blanco,Joachim Fritschi)
* fix a notice because REQUEST_URL is not defined on IIS [PHPCAS-81]
(Iñaki Arenaza)
* fix a typo in pgt-db.php [PHPCAS-75] (Julien Cochennec)
* removal of the non functional pgt-db backend [PHPCAS-81] (Joachim
Fritschi)
Improvements
* upgrade domxml-php4-to-php5 to the newest version [PHPCAS-74] (Joachim
Fritschi)
Cheers,
Joachim
[1] http://downloads.jasig.org/cas-clients/php/1.1.3/
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
