Upstream has announced ownCloud updates on March 12: https://mailman.owncloud.org/pipermail/announcements/2015-March/000063.html The upstream changelog has more details and is dated March 11: https://owncloud.org/changelog/ Upstream is being their usual unhelpful selves and not releasing information about the security issues. Generic advisory it is! Freeze push requested for 7.0.5 in Cauldron. Updated 6.0.7 package uploaded for Mageia 4. Advisory: ======================== Updated owncloud package fixes security vulnerabilities: Owncloud version 6.0.7 fixes several unspecified security vulnerabilities, as well as many other bugs. See the upstream Changelog for more information. References: http://owncloud.org/changelog/ ======================== Updated packages in core/updates_testing: ======================== owncloud-6.0.7-1.mga4 from owncloud-6.0.7-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing on Mageia4x64 real hardware, From current package : -------------------- owncloud-6.0.4-1.mga4 Set up an owncloud server usign sqlite, browsed to : https://zitounmga4/owncloud/ Configured a login and a password After confirmation, owncloud finalized installation and opened main page. Dragged a file and an image from desktop to owncloud, changed some administration settings, put an event in calendar, created a user and a group. From remote host through lan, connected to : https://zitounmga4/owncloud/ to both users, uploaded a file, verified in host, OK. To updated testing package : -------------------------- owncloud-6.0.7-1.mga4 Browsed back to my previous installation https://zitounmga4/owncloud/ Saw a quick warning advising owncloud server was being updated and got to connection screen. Logged in, verified previous alterations and uploaded files were still present, created new document, all ok. Connected from remote machine, OK. Uninstalled owncloud, removed database. Created a new installation of owncloud using mysql database. Basic usage + connected to it with remote client through lan. All OK
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Created attachment 6122 [details] Proposed owncloud setting procedure
Created attachment 6123 [details] Reviewed owncloud installation procedure Sorry, there was an error in previous attachment (6122) concerning mysql database creation.
Attachment 6122 is obsolete: 0 => 1
Testing on Mageia4x32 using same procedure as in comment 2 From current package : -------------------- owncloud-6.0.4-1.mga4 Could set an owncloud server using SQlite, basic usage and connected to it from remote guest (virtualbox) To updated testing package : -------------------------- owncloud-6.0.7-1.mga4 When connecting to owncloud server, message flashing by about an upgrade taking place, basic usage, connection from remote guest All OK
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0125.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/638725/
Upstream advisories are available: https://owncloud.org/security/advisory/?id=oc-sa-2015-001 https://owncloud.org/security/advisory/?id=oc-sa-2015-002 https://owncloud.org/security/advisory/?id=oc-sa-2015-004 Mandriva has issued an advisory for this on April 1: http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A191/ Advisory: ======================== Updated owncloud package fixes security vulnerabilities: Multiple stored XSS in contacts application (oC-SA-2015-001). Multiple stored XSS in documents application (oC-SA-2015-002). Bypass of file blacklist (oC-SA-2015-004). Owncloud has been updated to version 6.0.7, which fixes these issues as well as many other bugs. References: https://owncloud.org/security/advisory/?id=oc-sa-2015-001 https://owncloud.org/security/advisory/?id=oc-sa-2015-002 https://owncloud.org/security/advisory/?id=oc-sa-2015-004 http://owncloud.org/changelog/
LWN reference with the additional details: http://lwn.net/Vulnerabilities/638903/
These are now CVE-2015-301[1-3], according to this Debian advisory: https://www.debian.org/security/2015/dsa-3244 LWN reference with the CVEs: http://lwn.net/Vulnerabilities/643133/ I'm not sure where Debian found the CVEs, since they're still not listed on the upstream advisories.