Bug 10763 - owncloud new security issues fixed in 5.0.8
: owncloud new security issues fixed in 5.0.8
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/560024/
: mga3-32-ok mga3-64-ok
: validated_update
:
: 10275
  Show dependency treegraph
 
Reported: 2013-07-12 17:11 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
5 users (show)

See Also:
Source RPM: owncloud-5.0.7-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-12 17:11:09 CEST
Upstream has released OwnCloud on 5.0.8 on July 10:
http://owncloud.org/changelog/

It fixes two security issues.  Mageia 3 will also need an update.

The upstream security advisories (not posted yet) will be here:
http://owncloud.org/about/security/advisories/oC-SA-2013-029/
http://owncloud.org/about/security/advisories/oC-SA-2013-030/

Also note Bug 10275 filed against this package.  This bug is due to a problem in both the apache and owncloud packages.  For owncloud, it should not hardcode the /etc/httpd/conf/webapps.d directory, but use instead the _webappconfdir macro, as indicated in Bug 6954.

For apache, the filetrigger currently misses it because webapps.d got removed from the list of directories that the filetrigger checks.  We should fix this in the next apache update.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-13 19:31:10 CEST
blino uploaded owncloud-5.0.8-1.mga4 for Cauldron.

Bug 10275 path issue not fixed yet.
Comment 2 Nicolas Lécureuil 2013-07-14 00:36:55 CEST
fixed on svn and in the BS right now
Comment 3 David Walser 2013-07-14 01:05:18 CEST
Thanks Nicolas!

Assigning to QA.  Advisory information seems still not available yet.

Note to QA: this should also fix Bug 10275 for this package.

owncloud-5.0.8-1.mga3
Comment 4 claire robinson 2013-07-18 11:23:03 CEST
Testing i586

There is a problem upgrading. After installing the update and opening http://localhost/owncloud again it says it is updating to 5.0.8 and may take some time.

I left it for 45 minutes without change. When refreshed it says Owncloud is in maintenance mode and there is no apparent way to get it out of maintenance mode.

Confirm though that when the update candidate is installed directly it does now restart httpd so is accessible without manually doing so. Bug 10275 is fixed.

# urpme owncloud
# rm -rf /usr/share/owncloud
# service httpd restart
# urpmi owncloud
installing owncloud-5.0.8-1.mga3.noarch.rpm from /var/cache/urpmi/rpms                                                      
Preparing...                     ####################################
      1/1: owncloud              ####################################
#


In the admin settings it shows there is an update for this already, the current version is 5.0.9, released July 15th, only 5 days after 5.0.8. From the changelog, one of the improvements is to make the upgrade routine more robust, so it's possible there was a problem with the 5.0.8 release.

http://owncloud.org/changelog/
Comment 5 David Walser 2013-07-18 14:39:44 CEST
Nicolas has updated the update candidate:
owncloud-5.0.9-1.mga3
Comment 6 claire robinson 2013-07-18 15:36:29 CEST
Yep, that's better. Testing complete mga3 32
Comment 7 claire robinson 2013-07-18 16:13:06 CEST
Testing complete mga3 64

Need an advisory now though please to be able to validate..
Comment 8 David Walser 2013-07-18 16:27:09 CEST
Thanks Claire.  I got this response from one of the developers on IRC in #owncloud yesterday.  They're still not posted yet.

[11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my job.
[11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some very special and unusuable setups

For now we can go with the following, and update later if need be.

Updated owncloud package fix security vulnerabilities:

XSS vulnerability in “Share Interface” (oC-SA-2013-029).

Authentication bypass in “user_webdavauth” (oC-SA-2013-030).

This update provides OwnCloud 5.0.9, which fixes these issues, as well as
several other bugs.

References:
http://owncloud.org/about/security/advisories/oC-SA-2013-029/
http://owncloud.org/about/security/advisories/oC-SA-2013-030/
http://owncloud.org/changelog/
Comment 9 claire robinson 2013-07-18 16:39:35 CEST
Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be updated later as they become available.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks
Comment 10 Nicolas Vigier 2013-07-21 10:55:22 CEST
(In reply to claire robinson from comment #9)
> Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be
> updated later as they become available.

In that case, no CVE should be listed. I've removed it.
Comment 11 Nicolas Vigier 2013-07-21 12:00:41 CEST
http://advisories.mageia.org/MGASA-2013-0220.html

Note You need to log in before you can comment on or make changes to this bug.