Bug 17620 - owncloud new security issues fixed upstream in 8.0.10
Summary: owncloud new security issues fixed upstream in 8.0.10
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/673465/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-01-25 17:02 CET by David Walser
Modified: 2016-01-29 20:44 CET (History)
3 users (show)

See Also:
Source RPM: owncloud-8.0.9-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-01-25 17:02:30 CET
ownCloud has released new versions on December 22:
https://owncloud.org/changelog/

They fix three security issues:
https://owncloud.org/security/advisory/?id=oc-sa-2016-001
https://owncloud.org/security/advisory/?id=oc-sa-2016-002
https://owncloud.org/security/advisory/?id=oc-sa-2016-003

I will push the update for Mageia 5 once updates_testing is cleaned.

Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

A Cross-site scripting (XSS) vulnerability in the OCS discovery provider in
ownCloud Server before 8.0.10 allows remote attackers to inject arbitrary web
script or HTML via the URL resulting in a reflected Cross-Site-Scripting
(CVE-2016-1498).

ownCloud Server before 8.0.10 allows remote authenticated users to obtain
sensitive information from a directory listing and possibly cause a denial of
service (CPU consumption) via the force parameter to
index.php/apps/files/ajax/scan.php (CVE-2015-1499).

ownCloud Server before 8.0.10, when the "file_versions" application is
enabled, does not properly check the return value of getOwner, which allows
remote authenticated users to read the files with names starting with ".v"
and belonging to a sharing user by leveraging an incoming share
(CVE-2016-1500).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1498
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1499
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1500
https://owncloud.org/security/advisory/?id=oc-sa-2016-001
https://owncloud.org/security/advisory/?id=oc-sa-2016-002
https://owncloud.org/security/advisory/?id=oc-sa-2016-003
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176017.html
========================

Updated packages in core/updates_testing:
========================
owncloud-8.0.10-1.mga5

from owncloud-8.0.10-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-25 18:44:36 CET
Updated package uploaded for Mageia 5.

Advisory in Comment 0.

Assignee: mageia => qa-bugs

David Walser 2016-01-25 20:32:24 CET

URL: (none) => http://lwn.net/Vulnerabilities/673465/

Comment 2 William Kenney 2016-01-26 18:26:56 CET
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.9-1.mga5.noarch is already installed

http://localhost/owncloud gets me the initialization page.
Set
user:test
pw:test
I can add documents, pictures and music.
The share domain wizard works nicely and I can get to the
owncloud test system easily from another system on the LAN.
I can add documents, pictures and music from a remote system.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.10-1.mga5.noarch is already installed

http://localhost/owncloud launches the update process.
I can log in as test user again.
I can add more documents, pictures and music.
I can continue to access owncloud from another system
on the LAN. I can access documents, pictures and music
and add more remotely.

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 3 William Kenney 2016-01-26 19:13:44 CET
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.9-1.mga5.noarch is already installed

http://localhost/owncloud gets me the initialization page.
Set
user:test
pw:test
I can add documents, photos and music.
The share domain wizard works nicely and I can get to the
owncloud test system easily from another system on the LAN.
I can add documents, pictures and music from a remote system.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.10-1.mga5.noarch is already installed

http://localhost/owncloud launches the update process.
I can log in as test user again.
I can add more documents, photos and music.
I can continue to access owncloud from another system
on the LAN. I can access documents, pictures and music
and add more remotely.
William Kenney 2016-01-26 19:13:59 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 William Kenney 2016-01-26 19:14:31 CET
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-01-28 20:08:57 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2016-01-29 12:03:49 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0040.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2016-01-29 20:44:25 CET
LWN reference with CVEs:
http://lwn.net/Vulnerabilities/674070/

Note You need to log in before you can comment on or make changes to this bug.