php-cas (1.3.6-1+deb10u1) buster-security; urgency=medium

  This fixes CVE-2022-39369, backported for LTS/buster from upstream
  version 1.6.

  The fix required in php-cas is API breaking and users of the library
  will need to update their code and pass an additional parameter to the
  phpCAS::client() constructor, as elaborated by the upstream upgrading
  guide: [1]

  PhpCAS now requires an additional service base URL argument when
  constructing the client class, similar to other CAS client's serverName
  config. It accepts any argument of:

  1. A service base URL string. The service URL discovery will always use
  this server name (protocol, hostname and port number) without using any
  external host names.

  2. An array of service base URL strings. The service URL discovery will
  check against this list before using the auto discovered base URL. If
  there is no match, the first base URL in the array will be used as the
  default. This option is helpful if your PHP website is accessible
  through multiple domains without a canonical name, or through both HTTP
  and HTTPS.

  3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
  customize the base URL discovery behavior, you can pass in a class that
  implements the interface.

  [1] https://github.com/apereo/phpCAS/blob/b759361d904a2cb2a3bcee9411fc348cfde5d163/docs/Upgrading#L5

 -- Tobias Frost <tobi@debian.org>  Sat, 08 Jul 2023 13:48:07 +0200
