Candidate: CVE-2017-1000071
PublicDate: 2017-07-17 13:18:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000071
 https://github.com/Jasig/phpCAS/issues/228
 https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
Description:
 Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the
 validateCAS20 function when configured to authenticate against an old CAS
 server.
Ubuntu-Description:
Notes:
 sbeattie> The vulnerability only exists when communicating with a
   server affected by another very old vulnerability fixed in 2010.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868466
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]

Patches_php-cas:
upstream_php-cas: released (1.3.6-1)
precise/esm_php-cas: DNE
trusty_php-cas: ignored (reached end-of-life)
trusty/esm_php-cas: DNE (trusty was needed)
vivid/ubuntu-core_php-cas: DNE
xenial_php-cas: ignored (end of standard support, was needed)
yakkety_php-cas: ignored (reached end-of-life)
zesty_php-cas: ignored (reached end-of-life)
artful_php-cas: ignored (reached end-of-life)
bionic_php-cas: needed
cosmic_php-cas: ignored (reached end-of-life)
disco_php-cas: not-affected (1.3.6-1)
eoan_php-cas: not-affected (1.3.6-1)
focal_php-cas: not-affected (1.3.6-1)
groovy_php-cas: not-affected (1.3.6-1)
hirsute_php-cas: not-affected (1.3.6-1)
impish_php-cas: not-affected (1.3.6-1)
jammy_php-cas: not-affected (1.3.6-1)
devel_php-cas: not-affected (1.3.6-1)