ownCloud has released new versions on December 22: https://owncloud.org/changelog/ They fix three security issues: https://owncloud.org/security/advisory/?id=oc-sa-2016-001 https://owncloud.org/security/advisory/?id=oc-sa-2016-002 https://owncloud.org/security/advisory/?id=oc-sa-2016-003 I will push the update for Mageia 5 once updates_testing is cleaned. Advisory: ======================== Updated owncloud package fixes security vulnerabilities: A Cross-site scripting (XSS) vulnerability in the OCS discovery provider in ownCloud Server before 8.0.10 allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting (CVE-2016-1498). ownCloud Server before 8.0.10 allows remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php (CVE-2015-1499). ownCloud Server before 8.0.10, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share (CVE-2016-1500). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1498 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1499 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1500 https://owncloud.org/security/advisory/?id=oc-sa-2016-001 https://owncloud.org/security/advisory/?id=oc-sa-2016-002 https://owncloud.org/security/advisory/?id=oc-sa-2016-003 https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176017.html ======================== Updated packages in core/updates_testing: ======================== owncloud-8.0.10-1.mga5 from owncloud-8.0.10-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Updated package uploaded for Mageia 5. Advisory in Comment 0.
Assignee: mageia => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/673465/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.9-1.mga5.noarch is already installed http://localhost/owncloud gets me the initialization page. Set user:test pw:test I can add documents, pictures and music. The share domain wizard works nicely and I can get to the owncloud test system easily from another system on the LAN. I can add documents, pictures and music from a remote system. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.10-1.mga5.noarch is already installed http://localhost/owncloud launches the update process. I can log in as test user again. I can add more documents, pictures and music. I can continue to access owncloud from another system on the LAN. I can access documents, pictures and music and add more remotely.
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: owncloud default install of owncloud [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.9-1.mga5.noarch is already installed http://localhost/owncloud gets me the initialization page. Set user:test pw:test I can add documents, photos and music. The share domain wizard works nicely and I can get to the owncloud test system easily from another system on the LAN. I can add documents, pictures and music from a remote system. install owncloud from updates_testing [root@localhost wilcal]# urpmi owncloud Package owncloud-8.0.10-1.mga5.noarch is already installed http://localhost/owncloud launches the update process. I can log in as test user again. I can add more documents, photos and music. I can continue to access owncloud from another system on the LAN. I can access documents, pictures and music and add more remotely.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0040.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference with CVEs: http://lwn.net/Vulnerabilities/674070/