Your message dated Wed, 12 Sep 2012 21:47:46 +0000
with message-id <e1tbumg-0000ev...@franck.debian.org>
and subject line Bug#686567: fixed in owncloud 4.0.4debian2-2
has caused the Debian Bug report #686567,
regarding owncloud: Missing security fixes in Wheezy
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
686567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686567
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: owncloud
Version: 4.0.4debian-1
Severity: grave
Tags: security
Justification: user security hole
The following security issues are still open in Wheezy (although they're fixed
in sid):
Since Wheezy is frozen, this either needs to be fixed with an upload to
testing-proposed-updates containing only the security fixes or by getting 4.0.7
into Wheezy (given how the freeze has been so far, the former is most likely
preferred by release managers)
Cheers,
Moritz
Please see http://seclists.org/oss-sec/2012/q3/363 :
Version 4.0.7 Aug 14th 2012
Vulnerability of type .htaccess upload in file /lib/migrate.php.
A user could import a crafted import.zip to upload a .htaccess to the
data folder which could lead to a code execution.
https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a
Please use CVE-2012-4389 for this issue.
====
Vulnerability of type "user enumeration" in file remote.php.
It has been discovered that an authenticated user could get a list of
all registered users.
https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707
Please use CVE-2012-4390 for this issue.
====
Vulnerability of type "CSRF" in file appconfig.php
The appconfig.php wasn't checking the CSRF token. This could lead that
an attacker is able to edit the app configurations.
https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188
Please use CVE-2012-4391 for this issue.
====
Vulnerability of type "auth bypass" in file index.php
Due to unproper checking the cookie, an unauthenticated attacker could
login as as user if the user never used the "remember password"
function.
https://github.com/owncloud/core/commit/baab13ae134ff109c043371a7813df9b9bd4967b
Please use CVE-2012-4392 for this issue.
- -------------
Version 4.0.6 Aug 1th 2012
Security: Check for Admin user in
appconfig.php (CSRF)
Registered user could change app configs without admin rights.
https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f
Security: Several CSRF security fixes
The admin settings and the bookmark app wasn't checking the CSRF token.
https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f
and
https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745
CVS merged into a single CVE
Please use CVE-2012-4393 for these issues.
- -------------
Version 4.0.5 July 20th
Reflected XSS (XSS)
The filelist wasn't sanitzing HTML values in image files.
https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8
Please use CVE-2012-4394 for this issue.
--- End Message ---
--- Begin Message ---
Source: owncloud
Source-Version: 4.0.4debian2-2
We believe that the bug you reported is fixed in the latest version of
owncloud, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 686...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Mueller <thomas.muel...@tmit.eu> (supplier of updated owncloud package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Sep 2012 23:31:40 +0200
Source: owncloud
Binary: owncloud owncloud-mysql owncloud-sqlite
Architecture: source all
Version: 4.0.4debian2-2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: ownCloud for Debian maintainers
<pkg-owncloud-maintain...@lists.alioth.debian.org>
Changed-By: Thomas Mueller <thomas.muel...@tmit.eu>
Description:
owncloud - cloud storage for files, music, contacts, calendars and many more
owncloud-mysql - meta-package providing MySQL dependencies for ownCloud
owncloud-sqlite - meta-package providing SQLite dependencies for ownCloud
Closes: 683395 683396 683397 684426 686567
Changes:
owncloud (4.0.4debian2-2) testing-proposed-updates; urgency=high
.
* debian/patches:
- Added fix_writing_to_shared_readonly.diff to fix WebDAV write access to
shared files (Closes: #684426)
- Added remove_unused_unsecure_files.diff to fix user and group sniffing
- Added CVE-2012-4389.diff (Closes: CVE-2012-4389)
- Added CVE-2012-4390.diff (Closes: CVE-2012-4390)
- Added CVE-2012-4391.diff (Closes: CVE-2012-4391)
- Added CVE-2012-4392.diff (Closes: CVE-2012-4392)
- Added CVE-2012-4393.diff (Closes: CVE-2012-4393)
- Added CVE-2012-4394.diff (Closes: CVE-2012-4394)
- Close all open CVEs (Closes: #686567)
.
* debian/rules:
- Remove experimental feature 'files_external'
.
* debian/repack.sh:
- Remove experimental feature 'files_external'
- Removed sourceless minified JavaScript files core/js/jquery-1.7.2.min.js
and core/js/jquery-ui-1.8.16.custom.min.js (closes: #683395)
- Removed 3rdparty/Console/Getopt.php and 3rdparty/Crypt_Blowfish
(closes: #683397)
.
* debian/copyright:
- Inserted full text of CC-BY-3.0 (closes: #683396)
- Removed PHP-3 license (closes: #683397)
Checksums-Sha1:
81f6b13629cbb7096831e7db27809c9b2e5d83ee 1508 owncloud_4.0.4debian2-2.dsc
505bd64c18f4f5700ba41005929061662ab27a30 4506901
owncloud_4.0.4debian2.orig.tar.bz2
c933b580a0165492b5e3b3e7d7e27e41199fa243 42828
owncloud_4.0.4debian2-2.debian.tar.gz
5e291beeb0a010d120380dc81457681c2a46e53f 2209136
owncloud_4.0.4debian2-2_all.deb
f0d3d7be89c34fb64981f3396826d367eaa2bfdf 30842
owncloud-mysql_4.0.4debian2-2_all.deb
13fe6e17a41fb047257e3863cdb206539f622276 55742
owncloud-sqlite_4.0.4debian2-2_all.deb
Checksums-Sha256:
37711d334ba16263fff41906ab5aefc7ad3e32a5d4b29bd633ed32d42ddc3d9b 1508
owncloud_4.0.4debian2-2.dsc
fb74e58b595a5a36048fc76d79b492514a320377989cea3c519b4f0ae5876c78 4506901
owncloud_4.0.4debian2.orig.tar.bz2
dab14124c1cda735abc920e7476c45cd28c4566e8d57f703a6f80b2e004bbe21 42828
owncloud_4.0.4debian2-2.debian.tar.gz
ceb6779ab2c869e0e69fd0bef279897962a3947defe57c4f993e0fff705be066 2209136
owncloud_4.0.4debian2-2_all.deb
a6206087980f611eab425caec87860514a0d315dd1ce0fbcc01da26f17737efd 30842
owncloud-mysql_4.0.4debian2-2_all.deb
911a71c469bff3e06957ee1e4f27abc3fdf6b254e0a9e06afd2c34689708ffdc 55742
owncloud-sqlite_4.0.4debian2-2_all.deb
Files:
d5b2ae39196651da847a072feec0b1f0 1508 web extra owncloud_4.0.4debian2-2.dsc
2ebb49eddd909a6c7a70eb828e7c04ac 4506901 web extra
owncloud_4.0.4debian2.orig.tar.bz2
95adcdca67f1c34f40ac6ce6a1d8a279 42828 web extra
owncloud_4.0.4debian2-2.debian.tar.gz
4b7295d7c442b66a5fd9c7b4d3fac464 2209136 web extra
owncloud_4.0.4debian2-2_all.deb
0ed876480c9ac4f255e859103163f721 30842 web extra
owncloud-mysql_4.0.4debian2-2_all.deb
06be210403ac504a8182f8603c83d468 55742 web extra
owncloud-sqlite_4.0.4debian2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBQ/30ACgkQOB0qx4EksQCNsgCdEsSPch5yk294IqxsseDjiT4G
HYUAn06nJ3IJIH2qtpKAsTH9OLRrP8QH
=q3Q0
-----END PGP SIGNATURE-----
--- End Message ---
