Hi. Here's the needed associate debdiff.
Best regards, -- Olivier BERGER (OpenPGP: 4096R/7C5BB6A5) http://www.olivierberger.com/weblog/
diff -Nru php-cas-1.3.1/debian/changelog php-cas-1.3.1/debian/changelog --- php-cas-1.3.1/debian/changelog 2012-06-13 22:41:56.000000000 +0200 +++ php-cas-1.3.1/debian/changelog 2012-12-12 18:43:39.000000000 +0100 @@ -1,3 +1,18 @@ +php-cas (1.3.1-3) unstable; urgency=high + + * The previous upload missed the CVE-2012-5583 reference. Rewriting the + changelog message. + + -- Olivier Berger <ober...@debian.org> Wed, 12 Dec 2012 18:43:26 +0100 + +php-cas (1.3.1-2) unstable; urgency=high + + * Fix security problem on libcurl verification of SSL cert's hostname + (apply upstream fixes for issue #58 on github) (CVE-2012-5583 - + insecure usage of curl). + + -- Olivier Berger <ober...@debian.org> Fri, 30 Nov 2012 09:48:50 +0100 + php-cas (1.3.1-1) unstable; urgency=low * Initial release. (Closes: #495542) diff -Nru php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch --- php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch 2012-12-12 18:00:38.000000000 +0100 @@ -0,0 +1,273 @@ +From: Olivier Berger <olivier.ber...@telecom-sudparis.eu> +Date: Fri, 30 Nov 2012 09:42:25 +0100 +Subject: Squashed commit of the following: + +commit bbe3d9e868d1fd0d922cd4a762949b0117bef543 +Author: jfritschi <jfrits...@freenet.de> +Date: Thu Nov 29 00:17:57 2012 +0100 + + #58 make the validate CN parameter optional in the RequestInterface + +commit ddddf84099aa17557e1331b717c003acebdf5339 +Author: jfritschi <jfrits...@freenet.de> +Date: Wed Nov 28 22:53:43 2012 +0100 + + #58 Enable full CN valdiation of SSL certifcate and create a manual user + override to disable it. The new default is a proper CN + validation. +--- + CAS-1.3.1/CAS.php | 17 +++--- + CAS-1.3.1/CAS/Client.php | 15 +++++- + CAS-1.3.1/CAS/Request/AbstractRequest.php | 5 +- + CAS-1.3.1/CAS/Request/CurlRequest.php | 7 ++- + CAS-1.3.1/CAS/Request/RequestInterface.php | 5 +- + docs/examples/example_no_ssl_cn_validation.php | 66 ++++++++++++++++++++++++ + 6 files changed, 102 insertions(+), 13 deletions(-) + create mode 100644 docs/examples/example_no_ssl_cn_validation.php + +diff --git a/CAS-1.3.1/CAS.php b/CAS-1.3.1/CAS.php +index 32674ff..fb4f1a5 100644 +--- a/CAS-1.3.1/CAS.php ++++ b/CAS-1.3.1/CAS.php +@@ -303,7 +303,7 @@ class phpCAS + * @param string $server_hostname the hostname of the CAS server + * @param string $server_port the port the CAS server is running on + * @param string $server_uri the URI the CAS server is responding on +- * @param bool $changeSessionID Allow phpCAS to change the session_id (Single ++ * @param bool $changeSessionID Allow phpCAS to change the session_id (Single + * Sign Out/handleLogoutRequests is based on that change) + * + * @return a newly created CAS_Client object +@@ -355,7 +355,7 @@ class phpCAS + * @param string $server_hostname the hostname of the CAS server + * @param string $server_port the port the CAS server is running on + * @param string $server_uri the URI the CAS server is responding on +- * @param bool $changeSessionID Allow phpCAS to change the session_id (Single ++ * @param bool $changeSessionID Allow phpCAS to change the session_id (Single + * Sign Out/handleLogoutRequests is based on that change) + * + * @return a newly created CAS_Client object +@@ -1630,13 +1630,15 @@ class phpCAS + } + + /** +- * Set the certificate of the CAS server CA. ++ * Set the certificate of the CAS server CA and if the CN should be properly ++ * verified. + * +- * @param string $cert CA certificate file name ++ * @param string $cert CA certificate file name ++ * @param bool $validate_host_name Validate CN in certificate (default true) + * + * @return void + */ +- public static function setCasServerCACert($cert) ++ public static function setCasServerCACert($cert, $validate_cn = true) + { + phpCAS :: traceBegin(); + if (!is_object(self::$_PHPCAS_CLIENT)) { +@@ -1645,7 +1647,10 @@ class phpCAS + if (gettype($cert) != 'string') { + phpCAS :: error('type mismatched for parameter $cert (should be `string\')'); + } +- self::$_PHPCAS_CLIENT->setCasServerCACert($cert); ++ if (gettype($validate_cn) != 'boolean') { ++ phpCAS :: error('type mismatched for parameter $validate_cn (should be `boolean\')'); ++ } ++ self::$_PHPCAS_CLIENT->setCasServerCACert($cert, $validate_cn); + phpCAS :: traceEnd(); + } + +diff --git a/CAS-1.3.1/CAS/Client.php b/CAS-1.3.1/CAS/Client.php +index abe7f21..02431ab 100644 +--- a/CAS-1.3.1/CAS/Client.php ++++ b/CAS-1.3.1/CAS/Client.php +@@ -1620,6 +1620,14 @@ class CAS_Client + */ + private $_cas_server_ca_cert = ''; + ++ ++ /** ++ * validate CN of the CAS server certificate ++ * ++ * @hideinitializer ++ */ ++ private $_cas_server_cn_validate = ''; ++ + /** + * Set to true not to validate the CAS server. + * +@@ -1631,14 +1639,16 @@ class CAS_Client + /** + * Set the CA certificate of the CAS server. + * +- * @param string $cert the PEM certificate file name of the CA that emited ++ * @param string $cert the PEM certificate file name of the CA that emited + * the cert of the server ++ * @param bool $validate_cn valiate CN of the CAS server certificate + * + * @return void + */ +- public function setCasServerCACert($cert) ++ public function setCasServerCACert($cert, $validate_cn) + { + $this->_cas_server_ca_cert = $cert; ++ $this->_cas_server_cn_validate = $validate_cn; + } + + /** +@@ -2418,6 +2428,7 @@ class CAS_Client + } + if ($this->_cas_server_ca_cert != '') { + $request->setSslCaCert($this->_cas_server_ca_cert); ++ $request->setSslCaCert($this->_cas_server_cn_validate); + } + + // add extra stuff if SAML +diff --git a/CAS-1.3.1/CAS/Request/AbstractRequest.php b/CAS-1.3.1/CAS/Request/AbstractRequest.php +index 8109542..66ad2f2 100644 +--- a/CAS-1.3.1/CAS/Request/AbstractRequest.php ++++ b/CAS-1.3.1/CAS/Request/AbstractRequest.php +@@ -47,6 +47,7 @@ implements CAS_Request_RequestInterface + protected $isPost = false; + protected $postBody = null; + protected $caCertPath = null; ++ protected $validateCN = true; + private $_sent = false; + private $_responseHeaders = array(); + private $_responseBody = null; +@@ -183,17 +184,19 @@ implements CAS_Request_RequestInterface + * Specify the path to an SSL CA certificate to validate the server with. + * + * @param string $caCertPath path to cert ++ * @param bool $validate_cn valdiate CN of certificate + * + * @return void + * @throws CAS_OutOfSequenceException If called after the Request has been sent. + */ +- public function setSslCaCert ($caCertPath) ++ public function setSslCaCert ($caCertPath,$validate_cn=true) + { + if ($this->_sent) { + throw new CAS_OutOfSequenceException('Request has already been sent cannot '.__METHOD__); + } + + $this->caCertPath = $caCertPath; ++ $this->validateCN = $validate_cn; + } + + /********************************************************* +diff --git a/CAS-1.3.1/CAS/Request/CurlRequest.php b/CAS-1.3.1/CAS/Request/CurlRequest.php +index ef55886..f6026ba 100644 +--- a/CAS-1.3.1/CAS/Request/CurlRequest.php ++++ b/CAS-1.3.1/CAS/Request/CurlRequest.php +@@ -117,12 +117,15 @@ implements CAS_Request_RequestInterface + * Set SSL configuration + *********************************************************/ + if ($this->caCertPath) { +- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); ++ if($this->validateCN){ ++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); ++ }else{ ++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); ++ } + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); + curl_setopt($ch, CURLOPT_CAINFO, $this->caCertPath); + phpCAS::trace('CURL: Set CURLOPT_CAINFO'); + } else { +- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + } + +diff --git a/CAS-1.3.1/CAS/Request/RequestInterface.php b/CAS-1.3.1/CAS/Request/RequestInterface.php +index d6ccdc8..c5e3bdb 100644 +--- a/CAS-1.3.1/CAS/Request/RequestInterface.php ++++ b/CAS-1.3.1/CAS/Request/RequestInterface.php +@@ -119,12 +119,13 @@ interface CAS_Request_RequestInterface + /** + * Specify the path to an SSL CA certificate to validate the server with. + * +- * @param string $caCertPath path to cert file ++ * @param string $caCertPath path to cert file ++ * @param boolean $validate_cn validate CN of SSL certificate + * + * @return void + * @throws CAS_OutOfSequenceException If called after the Request has been sent. + */ +- public function setSslCaCert ($caCertPath); ++ public function setSslCaCert ($caCertPath, $validate_cn = true); + + + +diff --git a/docs/examples/example_no_ssl_cn_validation.php b/docs/examples/example_no_ssl_cn_validation.php +new file mode 100644 +index 0000000..b16e1e4 +--- /dev/null ++++ b/docs/examples/example_no_ssl_cn_validation.php +@@ -0,0 +1,66 @@ ++<?php ++ ++/** ++ * Example for diabling SSL CN valdiation ++ * ++ * PHP Version 5 ++ * ++ * @file example_simple.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Joachim Fritschi <jfrits...@freenet.de> ++ * @author Adam Franco <afra...@middlebury.edu> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++// Load the settings from the central config file ++require_once 'config.php'; ++// Load the CAS lib ++require_once $phpcas_path . '/CAS.php'; ++ ++// Uncomment to enable debugging ++phpCAS::setDebug(); ++ ++// Initialize phpCAS ++phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); ++ ++// For production use set the CA certificate that is the issuer of the cert ++// on the CAS server and uncomment the line below ++// phpCAS::setCasServerCACert($cas_server_ca_cert_path); ++ ++// For quick testing you can disable SSL validation of the CAS server. ++// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. ++// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! ++// phpCAS::setNoCasServerValidation(); ++// You can also disable the validation of the certficate CN. This means the ++// certificate must be valid but the CN of the certificate must not match the ++// IP or hostname you are using to access the server ++phpCAS::setCasServerCACert($cas_server_ca_cert_path, false); ++ ++ ++// force CAS authentication ++phpCAS::forceAuthentication(); ++ ++// at this step, the user has been authenticated by the CAS server ++// and the user's login name can be read with phpCAS::getUser(). ++ ++// logout if desired ++if (isset($_REQUEST['logout'])) { ++ phpCAS::logout(); ++} ++ ++// for this test, simply print that the authentication was successfull ++?> ++<html> ++ <head> ++ <title>phpCAS simple client</title> ++ </head> ++ <body> ++ <h1>Successfull Authentication!</h1> ++ <?php require 'script_info.php' ?> ++ <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p> ++ <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p> ++ <p><a href="?logout=">Logout</a></p> ++ </body> ++</html> diff -Nru php-cas-1.3.1/debian/patches/series php-cas-1.3.1/debian/patches/series --- php-cas-1.3.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-cas-1.3.1/debian/patches/series 2012-12-12 18:00:38.000000000 +0100 @@ -0,0 +1 @@ +0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch