Upstream has released OwnCloud on 5.0.8 on July 10: http://owncloud.org/changelog/ It fixes two security issues. Mageia 3 will also need an update. The upstream security advisories (not posted yet) will be here: http://owncloud.org/about/security/advisories/oC-SA-2013-029/ http://owncloud.org/about/security/advisories/oC-SA-2013-030/ Also note Bug 10275 filed against this package. This bug is due to a problem in both the apache and owncloud packages. For owncloud, it should not hardcode the /etc/httpd/conf/webapps.d directory, but use instead the _webappconfdir macro, as indicated in Bug 6954. For apache, the filetrigger currently misses it because webapps.d got removed from the list of directories that the filetrigger checks. We should fix this in the next apache update. Reproducible: Steps to Reproduce:
CC: (none) => oeBlocks: (none) => 10275Whiteboard: (none) => MGA3TOO
blino uploaded owncloud-5.0.8-1.mga4 for Cauldron. Bug 10275 path issue not fixed yet.
CC: (none) => mageiaVersion: Cauldron => 3Whiteboard: MGA3TOO => (none)
fixed on svn and in the BS right now
Thanks Nicolas! Assigning to QA. Advisory information seems still not available yet. Note to QA: this should also fix Bug 10275 for this package. owncloud-5.0.8-1.mga3
CC: (none) => nicolas.lecureuilAssignee: nicolas.lecureuil => qa-bugs
Testing i586 There is a problem upgrading. After installing the update and opening http://localhost/owncloud again it says it is updating to 5.0.8 and may take some time. I left it for 45 minutes without change. When refreshed it says Owncloud is in maintenance mode and there is no apparent way to get it out of maintenance mode. Confirm though that when the update candidate is installed directly it does now restart httpd so is accessible without manually doing so. Bug 10275 is fixed. # urpme owncloud # rm -rf /usr/share/owncloud # service httpd restart # urpmi owncloud installing owncloud-5.0.8-1.mga3.noarch.rpm from /var/cache/urpmi/rpms Preparing... #################################### 1/1: owncloud #################################### # In the admin settings it shows there is an update for this already, the current version is 5.0.9, released July 15th, only 5 days after 5.0.8. From the changelog, one of the improvements is to make the upgrade routine more robust, so it's possible there was a problem with the 5.0.8 release. http://owncloud.org/changelog/
Whiteboard: (none) => feedback
Nicolas has updated the update candidate: owncloud-5.0.9-1.mga3
Whiteboard: feedback => (none)
Yep, that's better. Testing complete mga3 32
Whiteboard: (none) => mga3-32-ok
Testing complete mga3 64 Need an advisory now though please to be able to validate..
Whiteboard: mga3-32-ok => mga3-32-ok mga3-64-ok
Thanks Claire. I got this response from one of the developers on IRC in #owncloud yesterday. They're still not posted yet. [11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my job. [11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some very special and unusuable setups For now we can go with the following, and update later if need be. Updated owncloud package fix security vulnerabilities: XSS vulnerability in âShare Interfaceâ (oC-SA-2013-029). Authentication bypass in âuser_webdavauthâ (oC-SA-2013-030). This update provides OwnCloud 5.0.9, which fixes these issues, as well as several other bugs. References: http://owncloud.org/about/security/advisories/oC-SA-2013-029/ http://owncloud.org/about/security/advisories/oC-SA-2013-030/ http://owncloud.org/changelog/
CC: (none) => mageiaSummary: owncloud new security issues fixed in 5.0.8 => owncloud new security issues fixed in 5.0.9
Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be updated later as they become available. Could sysadmin please push from 3 core/updates_testing to core/updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Summary: owncloud new security issues fixed in 5.0.9 => owncloud new security issues fixed in 5.0.8
(In reply to claire robinson from comment #9) > Validating. Advisory uploaded with CVE-Not-Assigned-Yet, it will need to be > updated later as they become available. In that case, no CVE should be listed. I've removed it.
CC: (none) => boklm
http://advisories.mageia.org/MGASA-2013-0220.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/560024/
CC: boklm => (none)