Bug 10763

Summary: owncloud new security issues fixed in 5.0.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, mageia, mageia, oe, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/560024/
Whiteboard: mga3-32-ok mga3-64-ok
Source RPM: owncloud-5.0.7-1.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 10275    

Description David Walser 2013-07-12 17:11:09 CEST 
Upstream has released OwnCloud on 5.0.8 on July 10:
http://owncloud.org/changelog/

It fixes two security issues.  Mageia 3 will also need an update.

The upstream security advisories (not posted yet) will be here:
http://owncloud.org/about/security/advisories/oC-SA-2013-029/
http://owncloud.org/about/security/advisories/oC-SA-2013-030/

Also note Bug 10275 filed against this package.  This bug is due to a problem in both the apache and owncloud packages.  For owncloud, it should not hardcode the /etc/httpd/conf/webapps.d directory, but use instead the _webappconfdir macro, as indicated in Bug 6954.

For apache, the filetrigger currently misses it because webapps.d got removed from the list of directories that the filetrigger checks.  We should fix this in the next apache update.

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-12 17:11:36 CEST

CC: (none) => oe
Blocks: (none) => 10275
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-07-13 19:31:10 CEST 
blino uploaded owncloud-5.0.8-1.mga4 for Cauldron.

Bug 10275 path issue not fixed yet.

CC: (none) => mageia
Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 2 Nicolas Lécureuil 2013-07-14 00:36:55 CEST 
fixed on svn and in the BS right now
Comment 3 David Walser 2013-07-14 01:05:18 CEST 
Thanks Nicolas!

Assigning to QA.  Advisory information seems still not available yet.

Note to QA: this should also fix Bug 10275 for this package.

owncloud-5.0.8-1.mga3

CC: (none) => nicolas.lecureuil
Assignee: nicolas.lecureuil => qa-bugs

Comment 4 claire robinson 2013-07-18 11:23:03 CEST 
Testing i586

There is a problem upgrading. After installing the update and opening http://localhost/owncloud again it says it is updating to 5.0.8 and may take some time.

I left it for 45 minutes without change. When refreshed it says Owncloud is in maintenance mode and there is no apparent way to get it out of maintenance mode.

Confirm though that when the update candidate is installed directly it does now restart httpd so is accessible without manually doing so. Bug 10275 is fixed.

# urpme owncloud
# rm -rf /usr/share/owncloud
# service httpd restart
# urpmi owncloud
installing owncloud-5.0.8-1.mga3.noarch.rpm from /var/cache/urpmi/rpms                                                      
Preparing...                     ####################################
      1/1: owncloud              ####################################
#


In the admin settings it shows there is an update for this already, the current version is 5.0.9, released July 15th, only 5 days after 5.0.8. From the changelog, one of the improvements is to make the upgrade routine more robust, so it's possible there was a problem with the 5.0.8 release.

http://owncloud.org/changelog/

Whiteboard: (none) => feedback

Comment 5 David Walser 2013-07-18 14:39:44 CEST 
Nicolas has updated the update candidate:
owncloud-5.0.9-1.mga3

Whiteboard: feedback => (none)

Comment 6 claire robinson 2013-07-18 15:36:29 CEST 
Yep, that's better. Testing complete mga3 32

Whiteboard: (none) => mga3-32-ok

Comment 7 claire robinson 2013-07-18 16:13:06 CEST 
Testing complete mga3 64

Need an advisory now though please to be able to validate..

Whiteboard: mga3-32-ok => mga3-32-ok mga3-64-ok

Comment 8 David Walser 2013-07-18 16:27:09 CEST 
Thanks Claire.  I got this response from one of the developers on IRC in #owncloud yesterday.  They're still not posted yet.

[11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my job.
[11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some very special and unusuable setups

For now we can go with the following, and update later if need be.

Updated owncloud package fix security vulnerabilities:

XSS vulnerability in âShare Interfaceâ (oC-SA-2013-029).

Authentication bypass in âuser_webdavauthâ (oC-SA-2013-030).

This update provides OwnCloud 5.0.9, which fixes these issues, as well as
several other bugs.

References:
http://owncloud.org/about/security/advisories/oC-SA-2013-029/
http://owncloud.org/about/security/advisories/oC-SA-2013-030/
http://owncloud.org/changelog/
Sander Lepik 2013-07-18 16:31:57 CEST

CC: (none) => mageia
Summary: owncloud new security issues fixed in 5.0.8 => owncloud new security issues fixed in 5.0.9

Comment 9 claire robinson 2013-07-18 16:39:35 CEST 
Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be updated later as they become available.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2013-07-18 16:52:00 CEST

Summary: owncloud new security issues fixed in 5.0.9 => owncloud new security issues fixed in 5.0.8

Comment 10 Nicolas Vigier 2013-07-21 10:55:22 CEST 
(In reply to claire robinson from comment #9)
> Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be
> updated later as they become available.

In that case, no CVE should be listed. I've removed it.

CC: (none) => boklm

Comment 11 Nicolas Vigier 2013-07-21 12:00:41 CEST 
http://advisories.mageia.org/MGASA-2013-0220.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2013-07-22 19:33:26 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560024/

Nicolas Vigier 2014-05-08 18:05:31 CEST

CC: boklm => (none)