oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

owncloud 5.0.8 and 4.5.13 (oC-SA-2013-029 and oC-SA-2013-030) - CVE assignments?

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 5 Aug 2013 23:33:38 +0200
Hi

(not a CVE request per se more to clarify/ask back): Owncloud 4.5.13
and 5.0.8 fixed both bugs marked SECURITY at [1].

 [1] http://owncloud.org/releases/Changelog

Release  "5.0.8"
July 9. 2013

- SECURITY: XSS vulnerability in "Share Interface" (oC-SA-2013-029)
- SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030)
- New anonymous upload feature
- Fix syncing of external filesystems
- External filesystems performance improvements
- Improve compatibility with Oracle
- Improved and simplified theming
- Internet explorer 8 fixes
- Fixes for partial file uploads
- LDAP: fix handling of User and Group Bases
- Improved and more robust upgrade system
- A lot of encryption system fixes
- Do not add groups if user has no groups
- Several Contacts fixes
- A lot of smaller bugfixes all over the place

Download: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2
MD5: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2.md5

-------------------------------
Release  "4.5.13"
July 9. 2013

- SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030)
- Fixed deleting old files versions

Download: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2
MD5: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2.md5

Looking at [2] there are no reference to oC-SA-2013-029 and
oC-SA-2013-030 and CVE assignments for these issues. Where they
already requested? (Cc'ing also the security () owncloud com team,
reading from [3] it's not clear if they where already assigned).

But the following might be emphasized (from [3]):

[11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my 
job.
[11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some 
very special and unusuable setups

 [2] http://owncloud.org/about/security/advisories/
 [3] https://bugs.mageia.org/show_bug.cgi?id=10763#c8

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: