Bug 10452 - owncloud new security issues fixed in 5.0.7
: owncloud new security issues fixed in 5.0.7
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554874/
: MGA3-32-OK MGA3-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-07 14:03 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: owncloud-5.0.6-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-07 14:03:09 CEST
Upstream has issued an advisory today (June 7):
http://owncloud.org/about/security/advisories/oC-SA-2013-028/

The issues are fixed in 5.0.7.  Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-11 18:40:03 CEST
owncloud-5.0.7-1.mga3 has been uploaded for Mageia 3, but this isn't yet fixed in Cauldron.  I'll push to QA once that's done.
Comment 2 David Walser 2013-06-11 21:17:29 CEST
owncloud-5.0.7-1.mga4 has been uploaded for Cauldron.  Thanks Nicolas!
Comment 3 David Walser 2013-06-11 21:20:42 CEST
Assigning to QA.

Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the
files_videoviewer application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to
inject arbitrary web script or HTML via shared files (CVE-2013-2150).

Cross-site scripting (XSS) vulnerabilities in core/js/oc-dialogs.js via
multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and other
versions before 4.0.16 allows authenticated remote attackers to inject
arbitrary web script or HTML via shared files (CVE-2013-2149).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2150
http://owncloud.org/about/security/advisories/oC-SA-2013-028/
========================

Updated packages in core/updates_testing:
========================
owncloud-5.0.7-1.mga3

from owncloud-5.0.7-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-06-11 22:03:51 CEST
No poc, so just testing that http://localhost/owncloud/index.php works
from firefox and withb owncloud from owncloud-client.

Testing complete on Mageia 3 i586.  Testing x86-64 shortly.
Comment 5 Dave Hodgins 2013-06-11 22:08:05 CEST
Testing complete on Mageia 3 x86_64.

Could someone from the sysadmin team push the srpm
owncloud-5.0.7-1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates.

Advisory: Updated owncloud package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the
files_videoviewer application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to
inject arbitrary web script or HTML via shared files (CVE-2013-2150).

Cross-site scripting (XSS) vulnerabilities in core/js/oc-dialogs.js via
multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and other
versions before 4.0.16 allows authenticated remote attackers to inject
arbitrary web script or HTML via shared files (CVE-2013-2149).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2150
http://owncloud.org/about/security/advisories/oC-SA-2013-028/

https://bugs.mageia.org/show_bug.cgi?id=10452
Comment 6 David Walser 2013-06-17 21:28:18 CEST
Mandriva has issued an advisory for this today (June 17):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:175/
Comment 7 Nicolas Vigier 2013-06-18 17:13:09 CEST
http://advisories.mageia.org/MGASA-2013-0171.html

Note You need to log in before you can comment on or make changes to this bug.