[Pkg-owncloud-maintainers] Bug#771954: unblock: (pre-approval) owncloud/7.0.4+dfsg-1

David Prévot taffit at debian.org
Wed Dec 3 19:24:07 UTC 2014

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

TL;DR: upcoming upstream point release update with security related


Please consider unblocking the upcoming package owncloud

The 7.0.4 upstream point release is expected next week, and it adds a
new OC\Security\Crypto class that should be useful for the next security
fixes (and maybe some security fixes, information will be updated with
the actual release; I can follow up to a private e-mail address for the
release team if you want to discuss not yet disclosed security matters).

Among the other fixes, it removes an annoying behaviour, causing the
config file (in /etc) to be touched on CardDAV connexion, changing its
timestamp for no good reason, and making program looking at changes in
the /etc directory (e.g., metche) to spam the administrator.

In case you’d refuse the whole upcoming new release, I’d like you to
consider allowing at least this targeted fix (see the minimal changes in
lib/private/config.php from the attached diff). Please let me know and
I’ll upload owncloud/7.0.3+dfsg-2 ASAP and update this request (or open
a new one if you may still consider 7.0.4+dfsg-1 later).

The attached filtered debdiff is not too big considering the five new
files (see binary debdiff in P.-S.) are providing 308 insertions there:

 50 files changed, 801 insertions(+), 143 deletions(-)

It has been filtered with the following command (7.0.4~rc1 is the
version that has been uploaded to experimental yesterday, and 7.0.4
should not add too much change to it):

debdiff --ignore-space ../owncloud_7.0.{3,4~rc1}+dfsg-1.dsc | \
	filterdiff -x '*/core/doc/*' -x'*/apps/*/tests/*'

- the documentation ('*/core/doc/*') change is irrelevant, since it’s
  provided by owncloud-doc anyway (bug report will follow if you accept
  this pre-approval);
- the tests are not shipped (nor used at build time yet since they rely
  on an installed ownCloud instance)

The Debian changelog follows, it merely document actual upstream
changes, the (WIP) upstream changelog is currently:

- Added XMLWriter check
- Better deleted outdated previews
- Store storage credential in session only if needed
- Don't disclose relative directory path for single shared files of user
- Password reset fixes
- Fix enable app only for a specific group
- fixing port configuration in trusted domains
- LDAP fixes
- Make group search case sensitive
- Allow admin to change users display name 
- Several smaller fixes

owncloud (7.0.4~rc1+dfsg-1) experimental; urgency=medium

  Upload RC to experimental

  [ Morris Jobke ]
  * Fix infinite loop if count and limit is 0

  [ Lukas Reschke ]
  * Run preupdate before an update
  * Add repair steps for legacy config files
  * Fix mapping of relative paths
  * Backport \OC\Security\Crypto to ownCloud 7
  * Only store user credentials when SMB_OC storage is enabled
  * Use `/` as redirect location if webroot is set to an empty value
  * Try to read the file only instead of trying to touch
  * Don't show favicon to prevent iteration through subfolders
  * Check for XMLWriter class

  [ Vincent Petry ]
  * Fix root path handling for WebDAV ext storage
  * Fix file upload to ext storage when recovery key is enabled
  * Show warning when invalid user was passed

  [ Andreas Fischer ]
  * user_ldap: Reimplement convertSID2Str() without BCMath dependency.

  [ michag86 ]
  * removal of wrong/double implemented check
  * cleanup group admin(s) on deleteGroup

  [ Clark Tomlinson ]
  * Hiding add to your own cloud if server2server sharing is not enabled

  [ Michael Roitzsch ]
  * file size on non-(Linux/BSD/Windows)-installations

  [ Bjoern Schiessle ]
  * use login name to verify password

  [ Craig Morrissey ]
  * adjust autocomplete behavior for sharing menu

  [ Georg Ehrke ]
  * delete all children's previews when deleting a folder
  * delete old previews

  [ Frank Karlitschek ]
  * 7.0.4 RC1

  [ David Prévot ]
  * Refresh patches
  * Update upstream changelog

 -- David Prévot <taffit at debian.org>  Mon, 01 Dec 2014 19:10:39 -0400

unblock owncloud/7.0.4+dfsg-1

Thanks a lot in advance for considering.



P.-S.: $ debdiff ../owncloud_7.0.{3,4~rc1}+dfsg-1_amd64.changes
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-rw-r--r--  root/root   /usr/share/owncloud/lib/private/security/crypto.php
-rw-r--r--  root/root   /usr/share/owncloud/lib/private/security/stringutils.php
-rw-r--r--  root/root   /usr/share/owncloud/lib/public/security/icrypto.php
-rw-r--r--  root/root   /usr/share/owncloud/lib/public/security/stringutils.php
-rw-r--r--  root/root   /usr/share/owncloud/lib/repair/repairconfig.php

Control files: lines which differ (wdiff format)
Installed-Size: [-26674-] {+26700+}
Version: [-7.0.3+dfsg-1-] {+7.0.4~rc1+dfsg-1+}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: oc.diff
Type: text/x-diff
Size: 101964 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20141203/3e88b1a2/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20141203/3e88b1a2/attachment-0001.sig>

More information about the Pkg-owncloud-maintainers mailing list