Upstream has issued an advisory today (June 7): http://owncloud.org/about/security/advisories/oC-SA-2013-028/ The issues are fixed in 5.0.7. Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
owncloud-5.0.7-1.mga3 has been uploaded for Mageia 3, but this isn't yet fixed in Cauldron. I'll push to QA once that's done.
owncloud-5.0.7-1.mga4 has been uploaded for Cauldron. Thanks Nicolas!
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Assigning to QA. Advisory: ======================== Updated owncloud package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the files_videoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files (CVE-2013-2150). Cross-site scripting (XSS) vulnerabilities in core/js/oc-dialogs.js via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and other versions before 4.0.16 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files (CVE-2013-2149). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2150 http://owncloud.org/about/security/advisories/oC-SA-2013-028/ ======================== Updated packages in core/updates_testing: ======================== owncloud-5.0.7-1.mga3 from owncloud-5.0.7-1.mga3.src.rpm
CC: (none) => nicolas.lecureuilAssignee: nicolas.lecureuil => qa-bugs
No poc, so just testing that http://localhost/owncloud/index.php works from firefox and withb owncloud from owncloud-client. Testing complete on Mageia 3 i586. Testing x86-64 shortly.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA3-32-OK
Testing complete on Mageia 3 x86_64. Could someone from the sysadmin team push the srpm owncloud-5.0.7-1.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates. Advisory: Updated owncloud package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the files_videoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files (CVE-2013-2150). Cross-site scripting (XSS) vulnerabilities in core/js/oc-dialogs.js via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and other versions before 4.0.16 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files (CVE-2013-2149). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2150 http://owncloud.org/about/security/advisories/oC-SA-2013-028/ https://bugs.mageia.org/show_bug.cgi?id=10452
Keywords: (none) => validated_updateWhiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
Mandriva has issued an advisory for this today (June 17): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:175/
URL: (none) => http://lwn.net/Vulnerabilities/554874/
http://advisories.mageia.org/MGASA-2013-0171.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)