Upstream has issued an advisory on June 8: https://owncloud.org/security/advisory/?id=oc-sa-2015-009 The issue is fixed upstream in 1.8.2. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
The 1.8.2 release has been pulled due to a regression on Windows: https://mailman.owncloud.org/pipermail/devel/2015-June/001323.html I asked about it on IRC in #owncloud-devel and #owncloud-security and was told: <danimo> Luigi12: we shall be releasing owncloud client 1.8.3 on monday or tuesday. 1.8.2 had a regression. It's not mainly affecting linux, but I'd still recommend to wait So we'll wait and hopefully be able to get this in soon.
CC: (none) => fri
Great, thanks :)
owncloud-client 1.8.3 has been released on June 23: https://owncloud.org/changelog/desktop/ I can't build now in Mageia 5 because of the partial Qt5 update in updates_testing, nothing can be built against Qt5. Saving the advisory for later. If any sysadmins see this, please remove qtbase5 and associated RPMs from Mageia 5 core/updates_testing. We can't push that until all of the Qt5 packages are committed and ready to build. Advisory: ======================== Updated owncloud-client packages fix security vulnerability: ownCloud Desktop Client before 1.8.2 was vulnerable against MITM attacks when used in combination with self-signed certificates (CVE-2015-4456). The owncloud-client package has been updated to version 1.8.3, which fixes this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4456 https://owncloud.org/security/advisory/?id=oc-sa-2015-009 https://owncloud.org/changelog/desktop/
CC: (none) => sysadmin-bugsVersion: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Updated packages uploaded for Mageia 4 and Mageia 5. Advisory: ======================== Updated owncloud-client packages fix security vulnerability: ownCloud Desktop Client before 1.8.2 was vulnerable against MITM attacks when used in combination with self-signed certificates (CVE-2015-4456). The owncloud-client package has been updated to version 1.8.3, which fixes this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4456 https://owncloud.org/security/advisory/?id=oc-sa-2015-009 https://owncloud.org/changelog/desktop/ ======================== Updated packages in core/updates_testing: ======================== owncloud-client-1.8.3-1.mga4 libowncloudsync1-1.8.3-1.mga4 libocsync1-1.8.3-1.mga4 libowncloud-client-devel-1.8.3-1.mga4 owncloud-client-1.8.3-1.mga5 libowncloudsync1-1.8.3-1.mga5 libocsync1-1.8.3-1.mga5 libowncloud-client-devel-1.8.3-1.mga5 from SRPMS: owncloud-client-1.8.3-1.mga4 owncloud-client-1.8.3-1.mga5
CC: sysadmin-bugs => mageiaAssignee: mageia => qa-bugs
Test OK mga5 i586 & x86_64; upgrading existing installation of client 1.8.1 Package owncloud-client-1.8.3-1.mga5 from mga5 core testing. owncloud-client now also pulls current libowncloudsync1 and libocsync1/lib64ocsync1 - great! ?: shouldnt the advisory also list the lib*64* packages? The client on initial start rechecks all existing sync folders and behaves correctly, no output in terminal it started from.
tested on mga4 (32bit/64bit): don't know, how to test vulnerability, but installation, syncing with existing cloud works as expected. Adding mga4-OK tags and mga5-OK tags as well according to Comment 5 After upload of advisory update can be validated and pushed to core-updates.
CC: (none) => marc.lattemannWhiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK
Advisory committed to svn. Someone from the sysadmin team please push 16106.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0256.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/650303/