[Pkg-owncloud-maintainers] More fixes for ownCloud… CVE-2015-595{3,4}

Wed Sep 30 23:53:07 UTC 2015

Hi,

On Sun, Sep 27, 2015 at 06:39:07PM -0400, David Prévot wrote:

> Thanks to Salvatore via #800126, another CVE has been fixed in the
> owncloud package.

After looking closer, I believe the issue is not as bad in the 7. series
(as available in Sid/Stretch and Jessie) since one can’t go further down
than the logged in user directory on the webserver (there were more
safeguards than in the 8. series, that’s probably why upstream didn’t
care to get the fix backported). Preventing the scanning at the higher
level should still help in some usage.

> I also had a closer look at the upstream advisories,
> and noticed they added two “old” advisories for CVE-2015-595{3,4} this
> summer.

And another one has just been shared, already fixed in 7.0.9~dfsg-1:

https://owncloud.org/security/advisory/?id=oc-sa-2015-018

I have not yet updated the tracker, since the CVE assignment is pending,
but maybe should I had a temporary entry?

I’ve updated the proposed package (debdiff attached), and I’m currently
testing the package on a production server.

> On the other hand, the data disclosure (CVE-2015-5954) looks a bit bad,
> so maybe you’d want to provide a DSA after all.

This newly disclosed issue doesn’t look very good either, even if the
files_external application is not enabled by default (many people seem
to actually rely on it).

I know you’re not ownCloud experts, but on the other hand, I’m not a
security expert either, so I don’t really know if it actually deserves a
DSA on its own, or if it’s OK to just push it via pu, comments welcome.

If you want to issue a DSA, do you want me to revert the fix for
CVE-2015-4716 that is already in pu?

The other security issue (again, not yet updated the tracker, since the
CVE assignment is pending), has been fixed in php-smb 1.0.3a-1, this
package is not in Jessie, and the owncloud binary package distributed in
Debian does not contain this copy (since it uses the php-smb package
instead):

https://owncloud.org/security/advisory/?id=oc-sa-2015-017

Regards

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oc.diff
Type: text/x-diff
Size: 18974 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20150930/22006f6c/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20150930/22006f6c/attachment.sig>