ownCloud 8.0.5 has been released on July 6: https://owncloud.org/changelog/ It fixed security issues, as did 8.0.4 and 6.0.8, as can be seen here: https://owncloud.org/security/advisories/ It would be nice to address the long-standing packaging issues too (see Bug 16179) Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA5TOO, MGA4TOO
owncloud-8.0.5-1.mga6 uploaded for Cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
available on mga5 updates_testing
(In reply to Nicolas Lécureuil from comment #2) > available on mga5 updates_testing It shouldn't have had a subrel added. Also, it doesn't include the fixes that blino committed in Cauldron.
just added blino's changes.
Thanks Nicolas and Olivier! Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated owncloud package fixes security vulnerabilities: In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted (CVE-2015-4715). In ownCloud before 6.0.8 and 8.0.4, the sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive (CVE-2015-4717). In ownCloud before 6.0.8 and 8.0.4, the external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ";" character which is interpreted as command separator by smbclient (the used software to connect to SMB shared by ownCloud). Effectively this allows an attacker to gain access to any file on the system or overwrite it, finally leading to a PHP code execution in the case of ownCloudâs config file (CVE-2015-4718). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4715 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4717 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4718 https://owncloud.org/security/advisory/?id=oc-sa-2015-005 https://owncloud.org/security/advisory/?id=oc-sa-2015-007 https://owncloud.org/security/advisory/?id=oc-sa-2015-008 http://owncloud.org/changelog/ ======================== Updated packages in core/updates_testing: ======================== owncloud-6.0.9-1.mga4 owncloud-8.0.5-1.2.mga5 from SRPMS: owncloud-6.0.9-1.mga4.src.rpm owncloud-8.0.5-1.2.mga5.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
MGA4-32 on Acer D620 Xfce. No installation issues. After installation make sure httpd is running. Point browser to http://localhost/owncloud. I was able to define an administrator id and password, and then look at the contents of the server. Pointing firefox on another PC, which was not prepared for this test, to http://<PCundertest>/owncloud results in an Owncloud page, stating that the server was being acceessed from an untrusted domain, not defined in config/config.php. This indicates that the server was accessed succesfully from the LAN.
CC: (none) => herman.viaeneWhiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.7-1.mga4.noarch is already installed http://localhost/owncloud gets me the initialization page. Create admin account Username, Password, Group, Contact, Organization Username: testown Password: testcloud Group: test Contact: wilcal Organization: International I can create an event in the calendar. I can add music and pictures. I can create a document I can log out and log back in. 192.168.1.140/owncloud server can be seen by another M5 system on the LAN. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.9-1.mga4.noarch is already installed Start owncloud: http://localhost/owncloud/ owncloud takes a second to update. Create new Group, Contact, Organization Username: testown ( is still valid ) Password: testcloud ( is still valid ) Group: test1 Contact: wilcal1 Organization: International1 I can create a new event in the calendar and edit an old one I can add more music and pictures. I can create a new document and edit an old one. I can log out and log back in. 192.168.1.140/owncloud server can be seen by another M5 system on the LAN.
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.7-1.mga4.noarch is already installed http://localhost/owncloud gets me the initialization page. Create admin account Username, Password, Group, Contact, Organization Username: testown Password: testcloud Group: test Contact: wilcal Organization: International I can create an event in the calendar. I can add music and pictures. I can create, and edit, a document I can log out and log back in. 192.168.1.142/owncloud server can be seen by another M5 system on the LAN. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.9-1.mga4.noarch is already installed Start owncloud: http://localhost/owncloud/ owncloud takes a second to update. Create new Group, Contact, Organization Username: testown ( is still valid ) Password: testcloud ( is still valid ) Group: test1 Contact: wilcal1 Organization: International1 I can create a new event in the calendar and edit an old one I can add more music and pictures. I can create a new document and edit an old one. I can log out and log back in. 192.168.1.142/owncloud server can be seen by another M5 system on the LAN.
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.3-1.mga5.noarch is already installed http://localhost/owncloud gets me a blank white page. I donno what happened????
In VirtualBox, M5, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.3-1.mga5.noarch is already installed Ya, same thing here. http://localhost/owncloud gets me a blank white page. What happened????
CC: (none) => davidwhodginsWhiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK advisory
Is it the same if you add a trailing slash ? http://localhost/owncloud/ Anything in the log files from /var/log/httpd/ ? Or in /var/lib/owncloud/owncloud.log ?
In VirtualBox, M5, KDE, 32-bit After all the updates to Firefox and everything else: Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.3-1.mga5.noarch is already installed http://localhost/owncloud or http://localhost/owncloud/ works the same http://localhost/owncloud gets me the initialization page. Create admin account Username, Password, Group, Contact, Organization Username: testown Password: testcloud Group: test Contact: wilcal Organization: International I can add music and pictures. I can create a document I can log out and log back in. 192.168.1.143/owncloud server can be seen by another M5 system on the LAN. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.5-1.2.mga5.noarch is already installed Start owncloud: http://localhost/owncloud/ owncloud takes a second to update. Create new Group, Contact, Organization Username: testown ( is still valid ) Password: testcloud ( is still valid ) Group: test1 Contact: wilcal1 Organization: International1 I can add more music and pictures. I can create a new document and edit an old one. I can log out and log back in. 192.168.1.143/owncloud server can be seen by another M5 system on the LAN.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory
In VirtualBox, M5, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.3-1.mga5.noarch is already installed http://localhost/owncloud or http://localhost/owncloud/ works the same http://localhost/owncloud gets me the initialization page. Create admin account Username, Password, Group, Contact, Organization Username: testown Password: testcloud Group: test Contact: wilcal Organization: International I can add music and pictures. I can create a document I can log out and log back in. 192.168.1.141/owncloud server can be seen by another M5 system on the LAN. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.5-1.2.mga5.noarch is already installed Start owncloud: http://localhost/owncloud/ owncloud takes a second to update. Create new Group, Contact, Organization Username: testown ( is still valid ) Password: testcloud ( is still valid ) Group: test1 Contact: wilcal1 Organization: International1 I can add more music and pictures. I can create a folder "Videos" add videos to it and play them. I can create a new document and edit an old one. I can log out and log back in. 192.168.1.141/owncloud server can be seen by another M5 system on the LAN.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OKadvisory
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0314.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/654545/