Upstream has released version 5.0.13 on November 8: http://mail.kde.org/pipermail/owncloud/2013-November/011024.html It says there's a security fix in it, though no details seem to be available. Obviously I'm not sure if the issue also affects Cauldron, but we have 6.0.0 beta 2 there, and beta 5 is currently available, and the release candidate is supposed to be out today, so it should probably be updated there too. Reproducible: Steps to Reproduce:
The upstream changelog actually does say something about this: "SECURITY: Fix a possible security bypass on admin page under certain circumstances and MariaDB." http://owncloud.org/changelog/
"Donât write user passwords into logfile" :-)
CC: (none) => oe
http://www.openwall.com/lists/oss-security/2013/11/28/6
Summary: owncloud new security issue fixed in 5.0.13 => owncloud new security issue fixed in 5.0.13 (CVE-2013-6403)
Package updated to beta5 in Cauldron, but now RC1 is out: http://mail.kde.org/pipermail/owncloud/2013-November/011143.html
on the BS right now
Thanks Nicolas! RedHat has rated this as a high severity issue: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6403 Advisory: ======================== Updated owncloud package fixes security vulnerability: Possible security bypass on admin page under certain circumstances and MariaDB (CVE-2013-6403). The owncloud package has been updated to version 5.0.13, fixing this and many other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6403 http://www.openwall.com/lists/oss-security/2013/11/28/6 http://owncloud.org/changelog/ ======================== Updated packages in core/updates_testing: ======================== owncloud-5.0.13-1.mga3 from owncloud-5.0.13-1.mga3.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugsSeverity: normal => critical
Testing complete mga3 64 As the cve affects mariadb rather than the default sqlite, installed owncloud with php-pdo_mysql and configured to use mariadb. Created user & database owncloud with password owncloud on localhost and opened http://localhost/owncloud in a browser. The databse configuration becomes visible if 'Advanced' is clicked when configuring the admin user. Selected mysql and entered the database details there. Logged in, uploaded some files and then checked after installing the update. It upgraded it's database OK and no issues noted. After uninstalling, removed the old config/data etc with rm -rf /usr/share/owncloud
Whiteboard: (none) => has_procedure mga3-64-ok
Testing complete mga3 32 Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0367.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/576924/