[Pkg-owncloud-maintainers] Bug#781274: (pre-approval) unblock: owncloud/7.0.4+dfsg-3

David Prévot taffit at debian.org
Thu Mar 26 19:26:37 UTC 2015

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please pre-approve an unblock for the owncloud package

It cherry-picks three security fixes from the recently released 7.0.5
version (already in experimental):

owncloud (7.0.4+dfsg-3) unstable; urgency=medium

  * Add gbp config file to follow the jessie branch
  * Backport security fixes from 7.0.5:
    - Multiple stored XSS in "contacts" application [OC-SA-2015-001]
    - Multiple stored XSS in "documents" application [OC-SA-2015-002]
    - Bypass of file blacklist [OC-SA-2015-004]
  * Run upgrade script with sudo as www-data user
  * Depend on php5-cli (it is actually used in postinst)

 -- David Prévot <taffit at debian.org>  Wed, 25 Mar 2015 16:20:32 -0400

I’d also like to shim in two other small changes:
- the upgrade script should be run as the same user as the installed
  data, i.e., www-data by default, instead of root: this recommendation
  has recently been enforced upstream since the upgrade process may
  touch data files on top of the potential database changes;
- since the php CLI is called during postinst, php5-cli should be a
  dependency instead of a recommendation (the README.Debian change just
  drops the now useless explanation why php5-cli was recommended).

The attached debdiff stripes away the webodf.js changes from the
cherry-picked commit from upstream: this minified JavaScript files is
anyway regenerated at build time and is thus not the file included in
the actual binary package.

unblock owncloud/7.0.4+dfsg-3

Thanks in advance


-------------- next part --------------
A non-text attachment was scrubbed...
Name: oc.diff
Type: text/x-diff
Size: 12987 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20150326/16e44689/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20150326/16e44689/attachment.sig>

More information about the Pkg-owncloud-maintainers mailing list