Bug 15533 - owncloud new security issues fixed upstream in 6.0.7 and 7.0.5
Summary: owncloud new security issues fixed upstream in 6.0.7 and 7.0.5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/638725/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-19 22:31 CET by David Walser
Modified: 2015-05-05 19:20 CEST (History)
2 users (show)

See Also:
Source RPM: owncloud-6.0.4-1.mga4.src.rpm
CVE:
Status comment:


Attachments
Proposed owncloud setting procedure (1.87 KB, application/octet-stream)
2015-03-23 00:31 CET, olivier charles
Details
Reviewed owncloud installation procedure (1.87 KB, text/plain)
2015-03-23 00:42 CET, olivier charles
Details

Description David Walser 2015-03-19 22:31:27 CET
Upstream has announced ownCloud updates on March 12:
https://mailman.owncloud.org/pipermail/announcements/2015-March/000063.html

The upstream changelog has more details and is dated March 11:
https://owncloud.org/changelog/

Upstream is being their usual unhelpful selves and not releasing information about the security issues.  Generic advisory it is!

Freeze push requested for 7.0.5 in Cauldron.

Updated 6.0.7 package uploaded for Mageia 4.

Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

Owncloud version 6.0.7 fixes several unspecified security vulnerabilities,
as well as many other bugs.

See the upstream Changelog for more information.

References:
http://owncloud.org/changelog/
========================

Updated packages in core/updates_testing:
========================
owncloud-6.0.7-1.mga4

from owncloud-6.0.7-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 olivier charles 2015-03-23 00:14:11 CET
Testing on Mageia4x64 real hardware,

From current package :
--------------------
owncloud-6.0.4-1.mga4

Set up an owncloud server usign sqlite, browsed to : https://zitounmga4/owncloud/

Configured a login and a password

After confirmation, owncloud finalized installation and opened main page.

Dragged a file and an image from desktop to owncloud, changed some administration settings, put an event in calendar, created a user and a group.

From remote host through lan, connected to :
https://zitounmga4/owncloud/
to both users, uploaded a file, verified in host, OK.

To updated testing package :
--------------------------
owncloud-6.0.7-1.mga4

Browsed back to my previous installation https://zitounmga4/owncloud/

Saw a quick warning advising owncloud server was being updated and got to connection screen.
Logged in, verified previous alterations and uploaded files were still present, created new document, all ok.

Connected from remote machine, OK.


Uninstalled owncloud, removed database.

Created a new installation of owncloud using mysql database.
Basic usage + connected to it with remote client through lan.

All OK

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 2 olivier charles 2015-03-23 00:31:49 CET
Created attachment 6122 [details]
Proposed owncloud setting procedure
Comment 3 olivier charles 2015-03-23 00:42:58 CET
Created attachment 6123 [details]
Reviewed owncloud installation procedure


Sorry, there was an error in previous attachment (6122) concerning mysql database creation.

Attachment 6122 is obsolete: 0 => 1

Comment 4 olivier charles 2015-03-31 22:36:01 CEST
Testing on Mageia4x32 using same procedure as in comment 2

From current package :
--------------------
owncloud-6.0.4-1.mga4

Could set an owncloud server using SQlite, basic usage and connected to it from remote guest (virtualbox)

To updated testing package :
--------------------------
owncloud-6.0.7-1.mga4

When connecting to owncloud server, message flashing by about an upgrade taking place, basic usage, connection from remote guest

All OK

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-04-01 11:23:54 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-04-01 14:14:16 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0125.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-01 20:29:59 CEST

URL: (none) => http://lwn.net/Vulnerabilities/638725/

Comment 7 David Walser 2015-04-02 23:27:04 CEST
Upstream advisories are available:
https://owncloud.org/security/advisory/?id=oc-sa-2015-001
https://owncloud.org/security/advisory/?id=oc-sa-2015-002
https://owncloud.org/security/advisory/?id=oc-sa-2015-004

Mandriva has issued an advisory for this on April 1:
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A191/

Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

Multiple stored XSS in contacts application (oC-SA-2015-001).

Multiple stored XSS in documents application (oC-SA-2015-002).

Bypass of file blacklist (oC-SA-2015-004).

Owncloud has been updated to version 6.0.7, which fixes these issues as well
as many other bugs.

References:
https://owncloud.org/security/advisory/?id=oc-sa-2015-001
https://owncloud.org/security/advisory/?id=oc-sa-2015-002
https://owncloud.org/security/advisory/?id=oc-sa-2015-004
http://owncloud.org/changelog/
Comment 8 David Walser 2015-04-02 23:27:22 CEST
LWN reference with the additional details:
http://lwn.net/Vulnerabilities/638903/
Comment 9 David Walser 2015-05-05 19:20:18 CEST
These are now CVE-2015-301[1-3], according to this Debian advisory:
https://www.debian.org/security/2015/dsa-3244

LWN reference with the CVEs:
http://lwn.net/Vulnerabilities/643133/

I'm not sure where Debian found the CVEs, since they're still not listed on the upstream advisories.

Note You need to log in before you can comment on or make changes to this bug.