[SECURITY] Fedora 14 Update: php-pear-CAS-1.1.3-1.fc14

updates at fedoraproject.org updates at fedoraproject.org
Thu Oct 14 14:12:47 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-15796
2010-10-05 21:46:11
--------------------------------------------------------------------------------

Name        : php-pear-CAS
Product     : Fedora 14
Version     : 1.1.3
Release     : 1.fc14
URL         : http://www.ja-sig.org/wiki/display/CASC/phpCAS
Summary     : Central Authentication Service client library in php
Description :
This package is a PEAR library for using a Central Authentication Service.

--------------------------------------------------------------------------------
Update Information:

This release contains 3 security fixes for vulnerabilities in the proxy callback mechanism. These vulnerabilities only affect phpCAS clients that are running in proxy() mode.
The release is fully compatible with all versions 1.1.x versions.

The changes are:

Security Issue
* CVE-2010-3690 phpCAS: XSS during a proxy callback [PHPCAS-80] (Joachim Fritschi)
* CVE-2010-3691 phpCAS: prevent symlink attacks during a proxy callback [PHPCAS-80] (Joachim Fritschi)
* CVE-2010-3692 phpCAS: directory traversal during a proxy callback [PHPCAS-80] (Joachim Fritschi)

Bug Fixes
* fix broken redirection with safari [PHPCAS-79] (Alex Barker)
* fix missing exit() call during ticket validation [PHPCAS-76] (Igor Blanco,Joachim Fritschi)
* fix a notice because REQUEST_URL is not defined on IIS [PHPCAS-81] (Iñaki Arenaza)
* fix a typo in pgt-db.php [PHPCAS-75] (Julien Cochennec)
* removal of the non functional pgt-db backend [PHPCAS-81] (Joachim Fritschi)


--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update php-pear-CAS' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list