[Pkg-owncloud-maintainers] More fixes for ownCloud… CVE-2015-595{3,4}

Sun Oct 4 05:01:09 UTC 2015

Hi David,

On Wed, Sep 30, 2015 at 07:53:07PM -0400, David Prévot wrote:
> On Sun, Sep 27, 2015 at 06:39:07PM -0400, David Prévot wrote:
> 
> > Thanks to Salvatore via #800126, another CVE has been fixed in the
> > owncloud package.
> 
> After looking closer, I believe the issue is not as bad in the 7. series
> (as available in Sid/Stretch and Jessie) since one can’t go further down
> than the logged in user directory on the webserver (there were more
> safeguards than in the 8. series, that’s probably why upstream didn’t
> care to get the fix backported). Preventing the scanning at the higher
> level should still help in some usage.
> 
> > I also had a closer look at the upstream advisories,
> > and noticed they added two “old” advisories for CVE-2015-595{3,4} this
> > summer.
> 
> And another one has just been shared, already fixed in 7.0.9~dfsg-1:
> 
> https://owncloud.org/security/advisory/?id=oc-sa-2015-018
> 
> I have not yet updated the tracker, since the CVE assignment is pending,
> but maybe should I had a temporary entry?

I have added them as temporary entries some days ago. No CVE assigned
AFAICS so far.

> I’ve updated the proposed package (debdiff attached), and I’m currently
> testing the package on a production server.

Did you noticed any problem on your tests on the production server?

> > On the other hand, the data disclosure (CVE-2015-5954) looks a bit bad,
> > so maybe you’d want to provide a DSA after all.
> 
> This newly disclosed issue doesn’t look very good either, even if the
> files_external application is not enabled by default (many people seem
> to actually rely on it).
> 
> I know you’re not ownCloud experts, but on the other hand, I’m not a
> security expert either, so I don’t really know if it actually deserves a
> DSA on its own, or if it’s OK to just push it via pu, comments welcome.

Okay, maybe better be safe than sorry. Assuming you haven't any
problem with your update since some day, please go ahead with an
upload to security-master; target distribution need to be changed from
jessie to jessie-security (and urgency=high).

> If you want to issue a DSA, do you want me to revert the fix for
> CVE-2015-4716 that is already in pu?

No, since all changes were acked by the SRM already, just base the
upload on the already uploaded.

Do you want to prepare a draft DSA text? If so the advsiory should as
well contain the already addressed in +deb8u2.

Thanks for all your work and help!

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20151004/a0ae76f8/attachment.sig>