-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi.
Please unblock php-cas so that the security fix for CVE-2012-5583 fixed in 1.3.1-3 can be shipped in wheezy. Cf. : http://http.debian.net/debian/pool/main/p/php-cas/php-cas_1.3.1-3.dsc I hope this is the correct procedure for such unblock during freeze, as I've never had to proceed along such paths in the past. Many thanks in advance. Best regards, Alessandro Ghedini <gh...@debian.org> writes: > Hi, > > I recently discovered that php-cas is using the libcurl API in a way that may > not be what the original author intended. In particular I'm referring to the > fact that the CURLOPT_SSL_VERIFYHOST option is treated as it was a boolean > value > while in fact it isn't (it may take three different values): > > /********************************************************* > * Set SSL configuration > *********************************************************/ > if ($this->caCertPath) { > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); > curl_setopt($ch, CURLOPT_CAINFO, $this->caCertPath); > phpCAS::trace('CURL: Set CURLOPT_CAINFO'); > } else { > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); > } > > (from the file CAS-1.3.1/CAS/Request/CurlRequest.php) > > Setting the value to "0" disables the host checks, but setting it to "1" does > not enable them (well, not all of them) and this may lead to security issues. > The correct value to enable all the security checks is "2". > > From the libcurl documentation: > >> When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the >> server is the server to which you meant to connect, or the connection fails. >> >> Curl considers the server the intended one when the Common Name field or a >> Subject Alternate Name field in the certificate matches the host name in the >> URL to which you told Curl to connect. >> >> When the value is 1, the certificate must contain a Common Name field, but it >> doesn't matter what name it says. (This is not ordinarily a useful setting). >> >> When the value is 0, the connection succeeds regardless of the names in the >> certificate. > > After discussing this with the security team, it was decided that it would be > best if this was fixed before the Wheezy release. > > Note that this should be fixed anyway, since as of curl v7.28.1 (which will > soon > be uploaded to experimental) the value "1" is not a valid value anymore and > libcurl will return an error. > > A possible fix should be discussed with the php-cas upstream first. > > Cheers - -- Olivier BERGER (OpenPGP: 4096R/7C5BB6A5) http://www.olivierberger.com/weblog/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 <http://mailcrypt.sourceforge.net/> iQIcBAEBCAAGBQJQzFZpAAoJEOlB3tp8W7alqYUQAIal1ll13jkQ32is55p3qPmv 97GhPUUGuxilFr1UdLEjBT+RsFwX3NYfWescLa9CMjDppGHi/KjG5CcN3sbQAPsI CSH0IunjwmvxoLs4hq5RatfP4eUjBpyTEXRJaEMuwZD8AVKiWEfdOfI/xM5wwnOJ o9CnG5U5RWpCCnqpEF53oO4oiJtw5eT5Lm9hHaZk8tlgL78fJdvurR+ucpJKzEm3 9M3U5GMULWVGlXVWadWaymB9wPkyhTg68+eFn53GNHHfrMQI+fCA7DqIAp8UQbAl +A3R+9cZWJXHv1pETIcdtE+VypxgHvxZNB7RnVq7rGQqjTjy5gpWvQen1D4ysIMB k12e6weGhOJ+lV0c5UZWtLIDrRdGmwVhtS8rgiubclXBVJkYqFS2plhz360kT7EE 1qYwkabP16nYALNXteec5i7l2k01PRV8f+qvnbdtv3WdU4AMOzMs6rbrmEz5QDqW BYjA4gXPfHr8Do09Joh4JvOcP/C4rWmq5ThjW+7Q/2r6x+NBrOPY0qxVFRIpQ2ZC OQ7p4e6OGA3n3bvUIiC5kGtJ1rEggFWKeVnVfqgtJBxmUuhq6XMjlYPQPZf5jlVi XxB7oB4cEV3WqwMhh9uJdTuopQfnmFdB8uf4DR49HnIO+bKeJN6ZnwTSWoZXaEfM 2JIWwIwEzAQUqoi3yvKh =ralv -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ehir1tal....@asustour.olivierberger.com
