Bug 12889 - owncloud new security issues fixed upstream in 5.0.15 and 6.0.2
: owncloud new security issues fixed upstream in 5.0.15 and 6.0.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/598583/
: MGA3TOO advisory MGA3-32-OK MGA3-64-O...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-27 02:50 CET by David Walser
Modified: 2014-05-14 19:24 CEST (History)
4 users (show)

See Also:
Source RPM: owncloud-6.0.0-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-27 02:50:33 CET
Upstream has announced that versions 5.0.15 and 6.0.2 will be available soon (RCs are available now) and fix several security issues:
http://owncloud.org/releases/Changelog
http://mailman.owncloud.org/pipermail/devel/2014-February/000036.html

Just FYI, owncloud-client 1.5.2 is available as well:
http://mailman.owncloud.org/pipermail/devel/2014-February/000041.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-02 23:51:30 CET
Updated to 6.0.2 in Cauldron.

Version 5.0.15 and 6.0.2 uploaded to Mageia 3 and Mageia 4 updates_testing.

CC'ing QA for now.  Official release announcement from upstream and details about the security issues fixed won't be available until Monday from what I understand.

We also might update owncloud-client along with this.
Comment 2 David Walser 2014-03-04 17:17:04 CET
Version 6.0.2 has been officially announced and the main Changelog page has been updated:
http://mailman.owncloud.org/pipermail/announcements/2014-March/000042.html
http://owncloud.org/changelog/

Still no details on the security issues that were fixed.
Comment 3 David Walser 2014-03-05 01:13:15 CET
Assigning to QA.  We won't be updating owncloud-client for stable releases at this time.  Still no details on the security issues fixed, and if they plan to release any details, it's not apparent.  Going with a generic advisory for now.

Advisory:
========================

Updated owncloud packages fix security vulnerabilities:

Owncloud versions 5.0.15 and 6.0.2 fix several unspecified security
vulnerabilities, as well as many other bugs.

See the upstream Changelog for more information.

References:
http://owncloud.org/changelog/
========================

Updated packages in core/updates_testing:
========================
owncloud-5.0.15-1.mga3
owncloud-6.0.2-1.mga4

from SRPMS:
owncloud-5.0.15-1.mga3.src.rpm
owncloud-6.0.2-1.mga4.src.rpm
Comment 4 William Kenney 2014-03-05 19:22:37 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.0-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud-client
Package owncloud-client-1.4.2-2.mga4.i586 is already installed

I was able to create a Vbox owncloud Server and Client.

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.2-1.mga4.noarch is already installed

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-03-05 20:34:41 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.0-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud-client
Package owncloud-client-1.4.2-2.mga4.x86_64 is already installed

I was able to create a Vbox owncloud Server and Client.

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.2-1.mga4.noarch is already installed

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-03-05 21:26:04 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.13-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud-client
Package owncloud-client-1.2.5-2.mga3.i586 is already installed

I was able to create a Vbox owncloud Server and Client.

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.15-1.mga3.noarch is already installed

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 William Kenney 2014-03-05 22:15:13 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.13-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud-client
Package owncloud-client-1.2.5-2.mga3.x86_64 is already installed

I was able to create a Vbox owncloud Server and Client.

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.15-1.mga3.noarch is already installed

A file(s)/directory(s) change in the server shared file/directory
list initiated a change in the client owncloud directory.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 8 William Kenney 2014-03-05 22:15:46 CET
For me this update works fine.
Comment 9 claire robinson 2014-03-06 16:51:31 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 10 Thomas Backlund 2014-03-06 22:53:04 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0120.html
Comment 11 David Walser 2014-05-14 19:24:30 CEST
Details on the security issues fixed in 6.0.2 and 5.0.15 have been released:
http://owncloud.org/about/security/advisories/

CVE information for (oC-SA-2014-008) comes from the Fedora advisory:
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html

Advisory for ownCloud 6.0.2 (Mageia 4):
========================

Updated owncloud packages fix security vulnerabilities:

In ownCloud before 6.0.2, due to authenticating a user without invalidating
any existing session identifier an attacker has the opportunity to steal
authenticated sessions. A successful exploit requires that PHP is configured
to accept session parameters via GET (CVE-2014-2047).

In ownCloud before 6.0.2, due to insecure Flash Cross Domain policies an
attacker might gain access to stored files of the user (CVE-2014-2049).

In ownCloud before 6.0.2, due to trusting user supplied input and interpret
it as Host header an attacker is able to craft a password reset mail with a
link pointing to his own site. If a user clicks on the link or a software
(e.g. antivirus) is accessing the link the attacker is able to reset the
user password (CVE-2014-2050).

In ownCloud before 6.0.2, due to not properly sanitizing the LDAP queries,
an attacker is able to gain information about existing LDAP users, and able
to modify the login query, e.g. with a wildcard (CVE-2014-2051).

Multiple third party components of ownCloud before 6.0.2 are vulnerable to
XXE attacks, which may lead to local file disclosure, server side request
forgery, denial of service, code execution (depending on the PHP wrappers),
or possibly other issues.  The affected libraries are ZendFramework
(CVE-2014-2052), GetID3 (CVE-2014-2053), PHPExcel (CVE-2014-2054), SabreDAV
(CVE-2014-2055), and PHPDocX (CVE-2014-2056).

ownCloud before 6.0.2 is vulnerable to multiple stored and reflected XSS
issues (CVE-2014-2057).

In ownCloud before 6.0.2, due to not properly sanitzing the mount
configuration authenticated users are able to mount the local filesystem
into their ownCloud. A successful exploit requires the files_external app
to be enabled (CVE-2014-2585).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2585
http://owncloud.org/about/security/advisories/oC-SA-2014-001/
http://owncloud.org/about/security/advisories/oC-SA-2014-003/
http://owncloud.org/about/security/advisories/oC-SA-2014-004/
http://owncloud.org/about/security/advisories/oC-SA-2014-005/
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
http://owncloud.org/about/security/advisories/oC-SA-2014-007/
http://owncloud.org/about/security/advisories/oC-SA-2014-008/
http://owncloud.org/changelog/
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html


Advisory for ownCloud 5.0.15 (Mageia 3):
========================

Updated owncloud packages fix security vulnerabilities:

In ownCloud before 5.0.15, due to insecure Flash Cross Domain policies an
attacker might gain access to stored files of the user (CVE-2014-2049).

In ownCloud before 5.0.15, due to trusting user supplied input and interpret
it as Host header an attacker is able to craft a password reset mail with a
link pointing to his own site. If a user clicks on the link or a software
(e.g. antivirus) is accessing the link the attacker is able to reset the
user password (CVE-2014-2050).

In ownCloud before 5.0.15, due to not properly sanitizing the LDAP queries,
an attacker is able to gain information about existing LDAP users, and able
to modify the login query, e.g. with a wildcard (CVE-2014-2051).

Multiple third party components of ownCloud before 5.0.15 are vulnerable to
XXE attacks, which may lead to local file disclosure, server side request
forgery, denial of service, code execution (depending on the PHP wrappers),
or possibly other issues.  The affected libraries are ZendFramework
(CVE-2014-2052), GetID3 (CVE-2014-2053), PHPExcel (CVE-2014-2054), SabreDAV
(CVE-2014-2055), and PHPDocX (CVE-2014-2056).

In ownCloud before 5.0.15, due to not properly sanitzing the mount
configuration authenticated users are able to mount the local filesystem
into their ownCloud. A successful exploit requires the files_external app
to be enabled (CVE-2014-2585).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2056
http://owncloud.org/about/security/advisories/oC-SA-2014-003/
http://owncloud.org/about/security/advisories/oC-SA-2014-004/
http://owncloud.org/about/security/advisories/oC-SA-2014-005/
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
http://owncloud.org/about/security/advisories/oC-SA-2014-008/
http://owncloud.org/changelog/
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html

Note You need to log in before you can comment on or make changes to this bug.