CVE Requests for phpCAS

[Joachim Fritschi <jfritschi () freenet de>]

Hi,

2 security vulnerabilities were discovered in the phpCAS library from 
the jasig project.

In the default configuration a phpCAS protected application allowed any 
other cas service with proxy authorization and valid user credentials to 
proxy any other phpCAS applications in the same SSO realm.
This is a security flaw since individual applications should check 
whether another application is actually authorized to proxy for users in 
this particular application.
This issue can be found on the issue tracker and a fix has already been 
committed:
https://issues.jasig.org/browse/PHPCAS-69


In the default debug configuration a debug log was stored without proper 
protection in /tmp and in a proxy configuration session data was stored 
without proper protection in /tmp. This both could leak private user 
attributes and sensitive login tokens during the login procedure to 
other user on the webserver.
This issue can be found on the issue tracker and a fix has already been 
committed:
https://github.com/Jasig/phpCAS/issues/22

Could you please allocate two CVE identifiers for these issues?

Thanks,

Joachim