Upstream has announced that versions 5.0.15 and 6.0.2 will be available soon (RCs are available now) and fix several security issues: http://owncloud.org/releases/Changelog http://mailman.owncloud.org/pipermail/devel/2014-February/000036.html Just FYI, owncloud-client 1.5.2 is available as well: http://mailman.owncloud.org/pipermail/devel/2014-February/000041.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated to 6.0.2 in Cauldron. Version 5.0.15 and 6.0.2 uploaded to Mageia 3 and Mageia 4 updates_testing. CC'ing QA for now. Official release announcement from upstream and details about the security issues fixed won't be available until Monday from what I understand. We also might update owncloud-client along with this.
CC: (none) => qa-bugsVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Version 6.0.2 has been officially announced and the main Changelog page has been updated: http://mailman.owncloud.org/pipermail/announcements/2014-March/000042.html http://owncloud.org/changelog/ Still no details on the security issues that were fixed.
Assigning to QA. We won't be updating owncloud-client for stable releases at this time. Still no details on the security issues fixed, and if they plan to release any details, it's not apparent. Going with a generic advisory for now. Advisory: ======================== Updated owncloud packages fix security vulnerabilities: Owncloud versions 5.0.15 and 6.0.2 fix several unspecified security vulnerabilities, as well as many other bugs. See the upstream Changelog for more information. References: http://owncloud.org/changelog/ ======================== Updated packages in core/updates_testing: ======================== owncloud-5.0.15-1.mga3 owncloud-6.0.2-1.mga4 from SRPMS: owncloud-5.0.15-1.mga3.src.rpm owncloud-6.0.2-1.mga4.src.rpm
CC: qa-bugs => mageiaAssignee: mageia => qa-bugs
In VirtualBox, M4, KDE, 32-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.0-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud-client Package owncloud-client-1.4.2-2.mga4.i586 is already installed I was able to create a Vbox owncloud Server and Client. A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.2-1.mga4.noarch is already installed A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.0-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud-client Package owncloud-client-1.4.2-2.mga4.x86_64 is already installed I was able to create a Vbox owncloud Server and Client. A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.2-1.mga4.noarch is already installed A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.13-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud-client Package owncloud-client-1.2.5-2.mga3.i586 is already installed I was able to create a Vbox owncloud Server and Client. A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.15-1.mga3.noarch is already installed A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.13-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud-client Package owncloud-client-1.2.5-2.mga3.x86_64 is already installed I was able to create a Vbox owncloud Server and Client. A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.15-1.mga3.noarch is already installed A file(s)/directory(s) change in the server shared file/directory list initiated a change in the client owncloud directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine.
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0120.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Details on the security issues fixed in 6.0.2 and 5.0.15 have been released: http://owncloud.org/about/security/advisories/ CVE information for (oC-SA-2014-008) comes from the Fedora advisory: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html Advisory for ownCloud 6.0.2 (Mageia 4): ======================== Updated owncloud packages fix security vulnerabilities: In ownCloud before 6.0.2, due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET (CVE-2014-2047). In ownCloud before 6.0.2, due to insecure Flash Cross Domain policies an attacker might gain access to stored files of the user (CVE-2014-2049). In ownCloud before 6.0.2, due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software (e.g. antivirus) is accessing the link the attacker is able to reset the user password (CVE-2014-2050). In ownCloud before 6.0.2, due to not properly sanitizing the LDAP queries, an attacker is able to gain information about existing LDAP users, and able to modify the login query, e.g. with a wildcard (CVE-2014-2051). Multiple third party components of ownCloud before 6.0.2 are vulnerable to XXE attacks, which may lead to local file disclosure, server side request forgery, denial of service, code execution (depending on the PHP wrappers), or possibly other issues. The affected libraries are ZendFramework (CVE-2014-2052), GetID3 (CVE-2014-2053), PHPExcel (CVE-2014-2054), SabreDAV (CVE-2014-2055), and PHPDocX (CVE-2014-2056). ownCloud before 6.0.2 is vulnerable to multiple stored and reflected XSS issues (CVE-2014-2057). In ownCloud before 6.0.2, due to not properly sanitzing the mount configuration authenticated users are able to mount the local filesystem into their ownCloud. A successful exploit requires the files_external app to be enabled (CVE-2014-2585). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2047 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2057 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2585 http://owncloud.org/about/security/advisories/oC-SA-2014-001/ http://owncloud.org/about/security/advisories/oC-SA-2014-003/ http://owncloud.org/about/security/advisories/oC-SA-2014-004/ http://owncloud.org/about/security/advisories/oC-SA-2014-005/ http://owncloud.org/about/security/advisories/oC-SA-2014-006/ http://owncloud.org/about/security/advisories/oC-SA-2014-007/ http://owncloud.org/about/security/advisories/oC-SA-2014-008/ http://owncloud.org/changelog/ https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html Advisory for ownCloud 5.0.15 (Mageia 3): ======================== Updated owncloud packages fix security vulnerabilities: In ownCloud before 5.0.15, due to insecure Flash Cross Domain policies an attacker might gain access to stored files of the user (CVE-2014-2049). In ownCloud before 5.0.15, due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software (e.g. antivirus) is accessing the link the attacker is able to reset the user password (CVE-2014-2050). In ownCloud before 5.0.15, due to not properly sanitizing the LDAP queries, an attacker is able to gain information about existing LDAP users, and able to modify the login query, e.g. with a wildcard (CVE-2014-2051). Multiple third party components of ownCloud before 5.0.15 are vulnerable to XXE attacks, which may lead to local file disclosure, server side request forgery, denial of service, code execution (depending on the PHP wrappers), or possibly other issues. The affected libraries are ZendFramework (CVE-2014-2052), GetID3 (CVE-2014-2053), PHPExcel (CVE-2014-2054), SabreDAV (CVE-2014-2055), and PHPDocX (CVE-2014-2056). In ownCloud before 5.0.15, due to not properly sanitzing the mount configuration authenticated users are able to mount the local filesystem into their ownCloud. A successful exploit requires the files_external app to be enabled (CVE-2014-2585). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2056 http://owncloud.org/about/security/advisories/oC-SA-2014-003/ http://owncloud.org/about/security/advisories/oC-SA-2014-004/ http://owncloud.org/about/security/advisories/oC-SA-2014-005/ http://owncloud.org/about/security/advisories/oC-SA-2014-006/ http://owncloud.org/about/security/advisories/oC-SA-2014-008/ http://owncloud.org/changelog/ https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133263.html
URL: (none) => http://lwn.net/Vulnerabilities/598583/