Fusion directory 1.3.1 cas broken by security update on debian 10.

[artlog]

Describe the bug

After upgrading a debian 10 a security update package for package php-cas 1.3.6-1+deb10u1 was installed. fusiondirectory 1.3.1 from repos.fusiondirectory. was already installed and running and cas login broke due to this update. A fusiondirectory 1.2.3-4 with this fix is provided by debian LTS security team but this is on 1.2.3 and older than installed version.

To Reproduce Steps to reproduce the behavior:

1. upgrade debian 10 with security repository enable
2. connect to fusiondirectory in CAS
3. See error

Fatal error: Uncaught ArgumentCountError: Too few arguments to function phpCAS::client(), 4 passed in /usr/share/fusiondirectory/html/index.php on line 527 and at least 5 expected in /usr/share/php/CAS/source/CAS.php:346 Stack trace: #0 /usr/share/fusiondirectory/html/index.php(527): phpCAS::client('2.0', 'auth.nevers.fr', 443, '/cas') #1 /usr/share/fusiondirectory/html/index.php(585): Index::casLoginProcess() #2 {main} thrown in /usr/share/php/CAS/source/CAS.php on line 346

Expected behavior

A fusiondirectory 1.3.x x>1 upstream package supporting php-cas API change from debian 10.

** Debian Information **

security update occured the 8th july 2023.

https://www.debian.org/lts/security/2023/dla-3487.en.html https://tracker.debian.org/news/1442674/accepted-fusiondirectory-123-4deb10u2-source-into-oldoldstable/ https://security-tracker.debian.org/tracker/CVE-2022-36180

[artlog]

This is fixed in fusiondirectory 1.4 using a 1.6.x php-cas with commit 299a320a7fe905402aea85b899dbd5a9cab9324c . But there is no 1.3.x backport fix, this of 1.2.3-4 comes from debian.

[bilbo-the-hobbit]

hello @artlog

we will look into it for 1.3.2 but it's low priority right now

cheers

[bilbo-the-hobbit]

We decided not to get out a 1.3.2 as 1.3.1 is on security fixes only, and we don't support Debian 10 anymore

Cheers