Hi David and Adam, On Sat, Apr 25, 2015 at 10:17:33PM +0200, Salvatore Bonaccorso wrote: > Hi Adam, hi David, > > On Sat, Apr 25, 2015 at 05:52:58PM +0100, Adam D. Barratt wrote: > > On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote: > > [...] > > > The said period now started (yet I can’t find any definition of what > > > that means exactly), and the three security issues affecting owncloud, > > > having their targeted fixes available in Sid, still affect the version > > > in Jessie. > > > > > > Adding the security team in the loop for advice: what is the way to move > > > forward now? (Will the pending unblock requests be processed and I > > > shouldn’t worry, will the issues warrant a DSA and should I prepare it, > > > should we rather make a pu request, something else?) > > > > The unblock has semi-automagically (via a device named a jmw) been > > converted to a p-u request, but I'd still appreciate the security team's > > input on this. > > Ok. > > > None of CVE-2015-301[123] currently have "no-dsa" markers on the > > security tracker so it's quite possible that a DSA would be appropriate. > > I think nobody has looked in the concrete three at the moment. But I > will try to do so tomorrow and give feedback. From a rough overview I > think both CVE-2015-3012 and CVE-2015-3013 are more like no-dsa (since > the first is mitigated in modern browsers and the second is due to > non-recommended setups). > > The CVE-2015-3011 actually is exposed without protection, since "While > ownCloud advises browsers to disable inline JavaScript execution this > vulnerability is caused by a eval like construct which is currently > allowed in our default Content-Security-Policy, thus this is > effectively exploitable in any browser.". > > David, CVE-2015-3011 is exploitable if a victim user tries to edit a > specially crafted contact item which he has access to?
So I checked the diff, but honestly I havent tried to diff patches/0011-Apply-some-upstream-patches.patch | 1745 ++++++++++++++++++++++++ regarding the WebODF changes. The other non-CVE relevant changes look ok to me too, so the occ call in postinst and the move of php5-cli to the Depends. (But not checked an actual upgrade of the resulting owncloud packages). Can you prepare an update to be released through jessie-security for owncloud? Use distribution set to jessie-security and make sure to build with -sa since the package will be new to dak on security-master. Since the upload will be mainly 7.0.4+dfsg-4 rebuild for jessie-security you can use 7.0.4+dfsg-4~deb8u1 as version. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
