It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.
Created cas-client tracking bugs for this issue:
Affects: fedora-all [bug 1131371]
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there.
php-pear-CAS 1.3.3 is already in Fedora and EPEL.
(In reply to Murray McAllister from comment #10)
> As noted in the Debian bug,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3
> fixed this issue there.
> php-pear-CAS 1.3.3 is already in Fedora and EPEL.
This issue has been addressed in the following products:
JBoss Portal 6.2.0
Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.