U radu programskog paketa php-pear-CAS otkrivena su dva sigurnosna propusta. Nedostaci omogućuju pristup osjetljivim podacima i neovlašten pristup sustavu.
| Paket: | php-pear-CAS 1.x |
| Operacijski sustavi: | Fedora 15 |
| Problem: | neodgovarajuće rukovanje datotekama, nepravilno rukovanje lozinkama, nepravilno rukovanje ovlastima |
| Iskorištavanje: | udaljeno |
| Posljedica: | neovlašteni pristup sustavu, otkrivanje osjetljivih informacija |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2012-1104, CVE-2012-1105 |
| Izvorni ID preporuke: | FEDORA-2012-4077 |
| Izvor: | Fedora |
| Problem: | |
| Propusti se javljaju zbog nepravilnog provjeravanja korisničkih dozvola za proxy servise te nesigurnog spremanja podataka o proxy sjednici. |
|
| Posljedica: | |
| Propusti omogućuju pristup osjetljivim podacima putem oznaka (eng. token) za prijavljivanje i neovlašten pristup CAS (eng. Central Authorization Service) sustavu. |
|
| Rješenje: | |
| Svim korisnicima se savjetuje nadogradnja. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4077
2012-03-17 23:01:04
--------------------------------------------------------------------------------
Name : php-pear-CAS
Product : Fedora 15
Version : 1.3.0
Release : 2.fc15
URL : https://wiki.jasig.org/display/CASC/phpCAS
Summary : Central Authentication Service client library in php
Description :
This package is a PEAR library for using a Central Authentication Service.
--------------------------------------------------------------------------------
Update Information:
Upstream changelog
Changes in version 1.3.0
Bug Fixes:
* the saml logout url should be parsed urlencoded [#24] (dlineate)
* fix a proxy mode bug introduced in a previous comitt [#16] (Adam Franco)
* Fix include_path order so that the phpCAS path takes precedence [#13] (Adam
Franco)
* fix invalid characters in the php session naming [#17] (Joachim Fritschi)
* fix an initialisation problem introduced in the PGT storage [18] (Daniel
Frett)
* make sure the PGTStorage object is initialized if a user is utilizing the
createTable method [#4] (Daniel Frett)
* Fix error message in phpCAS::setCacheTimesForAuthRecheck() [PHPCAS-132/#1]
(Bradley Froehle)
* Always return attributes in utf8 [PHPCAS-102]
* Fix warning during debugging if debug is set to false [PHPCAS-123] (Sean
Watkins)
New Features:
* Add a script to create the PGT db table in proxy mode [#11] (Joachim
Fritschi)
* Switch to the Apache License [#5] (Adam Franco, Joachim Fritschi)
* Move to github and add all necessary file to package [#12] (Adam Franco)
* New build process for github [#12] (Adam Franco)
* Update unit tests to work with the lastest phpunit version [PHPCAS-128] (Adam
Franco)
* Refacatoring of the protocol decision making to allow validation of proxied
usage [PHPCAS-69] (Joachim Fritschi, Adam Franco)
* Rebroadcast of logout and pgtiou to support clustered phpcas [PHPCAS-100]
(Matthew Selwood, Adam Franco)
Improvements:
* Improved cookie handling [] (Adam Franco
* Indent, format and user name guidelines of PEAR [#14] (Joachim Fritschi)
* Add a class autoloading feature [PHPCAS-125/#8] (Joachim Fritschi)
* Remove global variables [PHPCAS-126] (Adam Franco)
* Implementation of an exception framework to allow gracefull termination
[PHPCAS-109] (Joachim Fritschi)
* enable single sign-out when session has already started [#29] (Benvii)
Security Fixes:
* CVE-2012-1104 validate proxied usage of a service [PHPCAS-69] (Joachim
Fritschi, Adam Franco)
* CVE-2012-1105 change the default PGT save path to the session storage path and
set proper permissions [#22] (Joachim Fritschi)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 14 2012 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.0-2
- License is ASL 2.0, https://github.com/Jasig/phpCAS/issues/32
- New sources, https://github.com/Jasig/phpCAS/issues/31
- update to Version 1.3.0
* Sat Jun 11 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.2-1
- update to Version 1.2.2 (stable) - API 1.2.2 (stable)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #801343 - CVE-2012-1104 php-pear-CAS: Improper management of service
proxying
https://bugzilla.redhat.com/show_bug.cgi?id=801343
[ 2 ] Bug #801347 - CVE-2012-1105 php-pear-CAS: Debug log and proxy
configuration session data stored in /tmp without proper protection
https://bugzilla.redhat.com/show_bug.cgi?id=801347
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update php-pear-CAS' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4119
2012-03-17 23:02:58
--------------------------------------------------------------------------------
Name : php-pear-CAS
Product : Fedora 16
Version : 1.3.0
Release : 2.fc16
URL : https://wiki.jasig.org/display/CASC/phpCAS
Summary : Central Authentication Service client library in php
Description :
This package is a PEAR library for using a Central Authentication Service.
--------------------------------------------------------------------------------
Update Information:
Upstream changelog
Changes in version 1.3.0
Bug Fixes:
* the saml logout url should be parsed urlencoded [#24] (dlineate)
* fix a proxy mode bug introduced in a previous comitt [#16] (Adam Franco)
* Fix include_path order so that the phpCAS path takes precedence [#13] (Adam
Franco)
* fix invalid characters in the php session naming [#17] (Joachim Fritschi)
* fix an initialisation problem introduced in the PGT storage [18] (Daniel
Frett)
* make sure the PGTStorage object is initialized if a user is utilizing the
createTable method [#4] (Daniel Frett)
* Fix error message in phpCAS::setCacheTimesForAuthRecheck() [PHPCAS-132/#1]
(Bradley Froehle)
* Always return attributes in utf8 [PHPCAS-102]
* Fix warning during debugging if debug is set to false [PHPCAS-123] (Sean
Watkins)
New Features:
* Add a script to create the PGT db table in proxy mode [#11] (Joachim
Fritschi)
* Switch to the Apache License [#5] (Adam Franco, Joachim Fritschi)
* Move to github and add all necessary file to package [#12] (Adam Franco)
* New build process for github [#12] (Adam Franco)
* Update unit tests to work with the lastest phpunit version [PHPCAS-128] (Adam
Franco)
* Refacatoring of the protocol decision making to allow validation of proxied
usage [PHPCAS-69] (Joachim Fritschi, Adam Franco)
* Rebroadcast of logout and pgtiou to support clustered phpcas [PHPCAS-100]
(Matthew Selwood, Adam Franco)
Improvements:
* Improved cookie handling [] (Adam Franco
* Indent, format and user name guidelines of PEAR [#14] (Joachim Fritschi)
* Add a class autoloading feature [PHPCAS-125/#8] (Joachim Fritschi)
* Remove global variables [PHPCAS-126] (Adam Franco)
* Implementation of an exception framework to allow gracefull termination
[PHPCAS-109] (Joachim Fritschi)
* enable single sign-out when session has already started [#29] (Benvii)
Security Fixes:
* CVE-2012-1104 validate proxied usage of a service [PHPCAS-69] (Joachim
Fritschi, Adam Franco)
* CVE-2012-1105 change the default PGT save path to the session storage path and
set proper permissions [#22] (Joachim Fritschi)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 14 2012 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.0-2
- License is ASL 2.0, https://github.com/Jasig/phpCAS/issues/32
- New sources, https://github.com/Jasig/phpCAS/issues/31
- update to Version 1.3.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #801343 - CVE-2012-1104 php-pear-CAS: Improper management of service
proxying
https://bugzilla.redhat.com/show_bug.cgi?id=801343
[ 2 ] Bug #801347 - CVE-2012-1105 php-pear-CAS: Debug log and proxy
configuration session data stored in /tmp without proper protection
https://bugzilla.redhat.com/show_bug.cgi?id=801347
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update php-pear-CAS' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke