Upstream announced new versions on June 28: http://mailman.owncloud.org/pipermail/announcements/2014-June/000048.html Details on the security issue have not been released yet, but the rest of the changes are listed here: http://owncloud.org/changelog/ Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated owncloud package fixes security vulnerability: Owncloud versions 5.0.17 and 6.0.4 fix an unspecified security vulnerability, as well as many other bugs. See the upstream Changelog for more information. References: http://owncloud.org/changelog/ ======================== Updated packages in core/updates_testing: ======================== owncloud-5.0.17-1.mga3 owncloud-6.0.4-1.mga4 from SRPMS: owncloud-5.0.17-1.mga3.src.rpm owncloud-6.0.4-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Postgresql PDO driver not being installed by installation script. Installed OwnCloud 6.04 on MGA4x64 test system with postgresql as the database. Unable to get beyond setup.php with popup error message "Error while trying to create admin user:" "could not find driver". Manually installed php-pdo_pgsql and it all worked.
CC: (none) => gm4nzg
Testing MGA4 64-bit real hardware (with Postgresql). Installed owncloud-6.0.3-1.mga4 and Postgresql. Set up Owncloud as per: http://doc.owncloud.org/server/6.0/admin_manual/installation/installation_wizard.html -> http://doc.owncloud.org/server/6.0/admin_manual/configuration/configuration_database.html Set up the database following precise instructions at: http://doc.owncloud.org/server/6.0/admin_manual/configuration/configuration_database.html/#postgresql-database [or #mysql-mariadb-database or #sqlite-database as you wish]. On first launching Owncloud via http://localhost/owncloud I was stuck with a straight Login screen from an old installation. Following advice to remove /usr/share/owncloud/config/config.php (which should have been removed by urpme owncloud in my view) I got the correct Setup screen. Selecting 'Advanced', Postgresql database, this needed 4 parameters: - Database username - This username's password (confusingly called 'Database password') - Database name - Database host name, here localhost. After which it started & worked OK within the poking around I did. Subsequent accesses just give the straight Login screen, correctly. Using Opera, the main admin interface did not have the penultimate Bookmarks icon (but space for it) on the left, and the bottom '+' icon to add applications was 1/2 hidden - and could not be brought into view - but showed just enough to work. Updated from Core Updates Testing to: owncloud-6.0.4-1.mga4 and re-launching it, it acknowledged that it had been updated but this passed too quickly to the normal Login screen to note the few comments output. Repeating the exploratory functionality tried before the update, everything seemed the same.
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
I should have added at the beginning of Comment 2 that already installed was every known [?] PHP pkg from a recent PHP update.
Testing complete mga3 32
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO mga3-32-ok MGA4-64-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.16-1.mga3.noarch is already installed http://localhost/owncloud gets me the initialization page. I can log in as root user then create a contact. I can create an event in the calendar. I can add music and pictures. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed http://localhost/owncloud gets me the initialization page. I can log in as root user then create another contact. I can create another event in the calendar. I can add more music and pictures. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO mga3-32-ok MGA4-64-OK => MGA3TOO mga3-32-ok MGA3-64-OK MGA4-64-OK
Testing complete mga4 32
Whiteboard: MGA3TOO mga3-32-ok MGA3-64-OK MGA4-64-OK => MGA3TOO mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OK
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OK => MGA3TOO advisory mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
Update pushed http://advisories.mageia.org/MGASA-2014-0301.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
Details on the security issue are now available. Updated advisory below. Advisory: ======================== Updated owncloud package fixes security vulnerability: In ownCloud before 5.0.17 and 6.0.4, there exists a limited local file inclusion vulnerability due to an improper control of the filename for a require_once() statement in the routing component (CVE-2014-4929). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4929 http://owncloud.org/security/advisory/?id=oc-sa-2014-018 http://owncloud.org/changelog/