Bug 16106

The 1.8.2 release has been pulled due to a regression on Windows:
https://mailman.owncloud.org/pipermail/devel/2015-June/001323.html

I asked about it on IRC in #owncloud-devel and #owncloud-security and was told:
<danimo> Luigi12: we shall be releasing owncloud client 1.8.3 on monday or tuesday. 1.8.2 had a regression. It's not mainly affecting linux, but I'd still recommend to wait

So we'll wait and hopefully be able to get this in soon.

CC: (none) => fri

Great, thanks :)

owncloud-client 1.8.3 has been released on June 23:
https://owncloud.org/changelog/desktop/

I can't build now in Mageia 5 because of the partial Qt5 update in updates_testing, nothing can be built against Qt5.  Saving the advisory for later.

If any sysadmins see this, please remove qtbase5 and associated RPMs from Mageia 5 core/updates_testing.  We can't push that until all of the Qt5 packages are committed and ready to build.

Advisory:
========================

Updated owncloud-client packages fix security vulnerability:

ownCloud Desktop Client before 1.8.2 was vulnerable against MITM attacks when
used in combination with self-signed certificates (CVE-2015-4456).

The owncloud-client package has been updated to version 1.8.3, which fixes this
issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4456
https://owncloud.org/security/advisory/?id=oc-sa-2015-009
https://owncloud.org/changelog/desktop/

CC: (none) => sysadmin-bugs
Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Updated packages uploaded for Mageia 4 and Mageia 5.

Advisory:
========================

Updated owncloud-client packages fix security vulnerability:

ownCloud Desktop Client before 1.8.2 was vulnerable against MITM attacks when
used in combination with self-signed certificates (CVE-2015-4456).

The owncloud-client package has been updated to version 1.8.3, which fixes this
issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4456
https://owncloud.org/security/advisory/?id=oc-sa-2015-009
https://owncloud.org/changelog/desktop/
========================

Updated packages in core/updates_testing:
========================
owncloud-client-1.8.3-1.mga4
libowncloudsync1-1.8.3-1.mga4
libocsync1-1.8.3-1.mga4
libowncloud-client-devel-1.8.3-1.mga4
owncloud-client-1.8.3-1.mga5
libowncloudsync1-1.8.3-1.mga5
libocsync1-1.8.3-1.mga5
libowncloud-client-devel-1.8.3-1.mga5

from SRPMS:
owncloud-client-1.8.3-1.mga4
owncloud-client-1.8.3-1.mga5

CC: sysadmin-bugs => mageia
Assignee: mageia => qa-bugs

Test OK mga5 i586 & x86_64; upgrading existing installation of client 1.8.1
Package owncloud-client-1.8.3-1.mga5 from mga5 core testing.

owncloud-client now also pulls current libowncloudsync1 and libocsync1/lib64ocsync1 - great!

?: shouldnt the advisory also list the lib*64* packages?

The client on initial start rechecks all existing sync folders and behaves correctly, no output in terminal it started from.

tested on mga4 (32bit/64bit): don't know, how to test vulnerability, but installation, syncing with existing cloud works as expected. Adding mga4-OK tags and mga5-OK tags as well according to Comment 5

After upload of advisory update can be validated and pushed to core-updates.

CC: (none) => marc.lattemann
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK

Advisory committed to svn.

Someone from the sysadmin team please push 16106.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0256.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED