Sébastien PORTEFAIX reported: [1] https://issues.jasig.org/browse/PHPCAS-61 a deficiency in the way Central Authentication Service (CAS) client library processed service tickets (the submitted service ticket was used to rename the http session before it was validated). A remote attacker, intercepting the communication, could use this flaw to hijack any authenticated user session. Upstream patch: [2] https://developer.jasig.org/source/changelog/jasigsvn/cas-clients/phpcas/trunk/source?cs=20822
This issue affects the versions of the php-pear-CAS package, as shipped with Fedora release of 12 and 13. Please fix.
This issue affects the versions of glpi package, as shipped with Fedora release of 12 and 13. Please fix.
This issue affects the versions of the moodle package, as shipped with Fedora release of 12 and 13. This issue affects the versions of the moodle package, as shipped within EPEL-4 and EPEL-5 repositories. Please fix.
Created php-pear-CAS tracking bugs for this issue Affects: fedora-all [bug 620753]
Created glpi tracking bugs for this issue Affects: fedora-all [bug 620759]
Created moodle tracking bugs for this issue Affects: fedora-all [bug 620772]