Hi, I plan to prepare an upload until the end of this week.
THX for the notification, Tom Am Montag, dem 03.09.2012 um 12:25 schrieb Moritz Muehlenhoff: > Package: owncloud > Version: 4.0.4debian-1 > Severity: grave > Tags: security > Justification: user security hole > > The following security issues are still open in Wheezy (although they're > fixed in sid): > Since Wheezy is frozen, this either needs to be fixed with an upload to > testing-proposed-updates containing only the security fixes or by getting > 4.0.7 > into Wheezy (given how the freeze has been so far, the former is most likely > preferred by release managers) > > Cheers, > Moritz > > > Please see http://seclists.org/oss-sec/2012/q3/363 : > > Version 4.0.7 Aug 14th 2012 > > Vulnerability of type .htaccess upload in file /lib/migrate.php. > A user could import a crafted import.zip to upload a .htaccess to the > data folder which could lead to a code execution. > https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a > > Please use CVE-2012-4389 for this issue. > > ==== > Vulnerability of type "user enumeration" in file remote.php. > It has been discovered that an authenticated user could get a list of > all registered users. > https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707 > > Please use CVE-2012-4390 for this issue. > > ==== > Vulnerability of type "CSRF" in file appconfig.php > The appconfig.php wasn't checking the CSRF token. This could lead that > an attacker is able to edit the app configurations. > https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188 > > Please use CVE-2012-4391 for this issue. > > ==== > Vulnerability of type "auth bypass" in file index.php > Due to unproper checking the cookie, an unauthenticated attacker could > login as as user if the user never used the "remember password" > function. > https://github.com/owncloud/core/commit/baab13ae134ff109c043371a7813df9b9bd4967b > > Please use CVE-2012-4392 for this issue. > > - ------------- > Version 4.0.6 Aug 1th 2012 > > Security: Check for Admin user in > appconfig.php (CSRF) > Registered user could change app configs without admin rights. > https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f > Security: Several CSRF security fixes > The admin settings and the bookmark app wasn't checking the CSRF token. > https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f > and > https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745 > > CVS merged into a single CVE > > Please use CVE-2012-4393 for these issues. > > - ------------- > > Version 4.0.5 July 20th > Reflected XSS (XSS) > The filelist wasn't sanitzing HTML values in image files. > https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8 > > Please use CVE-2012-4394 for this issue. > > _______________________________________________ > Pkg-owncloud-maintainers mailing list > pkg-owncloud-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pkg-owncloud-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
