Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 10 Aug 2012 22:57:24 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Bruno Kleinert <fuddl@...ian.org>, mtgap@...cloud.com
Subject: ownCloud - matching CVEs to fix information and vice versa

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok so I started looking at ownCloud to make sure I didn't issue a
duplicate.

We have the following 4 CVE entries for ownCloud and no way to match
them to a fixed version.

CVE-2012-2398	Cross-site scripting (XSS) vulnerability in
files/ajax/download.php in ownCloud 3.0.2 allows remote attackers to
inject arbitrary web script or HTML via the files parameter, a
different vulnerability than CVE-2012-2269.4. NOTE: the provenance of
this information is unknown; the details are obtained solely from
third party information.

Is CVE-2012-2398 fixed in 3.0.3?

CVE-2012-2397	Cross-site request forgery (CSRF) vulnerability in
ownCloud 3.0.2 allows remote attackers to hijack the authentication of
arbitrary users for requests that insert cross-site scripting (XSS)
sequences via vectors involving contacts. NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information.

Is CVE-2012-2397 fixed in 3.0.3?

CVE-2012-2270	Open redirect vulnerability in index.php (aka the Login
Page) in ownCloud 3.0.0 allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in the
redirect_url parameter.

Is CVE-2012-2270 fixed in 3.0.1?

CVE-2012-2269	Multiple cross-site scripting (XSS) vulnerabilities in
ownCloud 3.0.0 allow remote attackers to inject arbitrary web script
or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php,
(2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3)
the name parameter to apps/contacts/ajax/createaddressbook, (4) the
file parameter to files/download.php, or the (5) name, (6) user, or
(7) redirect_url parameter to files/index.php.

Is CVE-2012-2269 fixed in 3.0.1

Can you please confirm that these issues have been fixed, and in what
version of ownCloud? It would be very helpful if you could put the CVE
#'s into the ChangeLog at http://owncloud.org/changelog/

Once these 4 have been confirmed I can assign a CVE for the new issue
and the outstanding ones:

Version 4.0.6 Aug 1th 2012
•	Security: Check for Admin user in appconfig.php
•	Security: Several CSRF security fixes

Version 4.0.5 July 20th 2012
•	Several CSRF security fixes

Version 4.0.4 June 28th 2012
•	Nothing security listed

Version 4.0.3 June 23rd 2012
•	Fix several XSS bugs
•	Implement several CSRF security checks

Version 4.0.2 June 11th 2012
•	Several XSS fixes in calendar
•	Several XSS fixes in contacts

Version 4.0.1 June 4th 2012
•	security: fix a XSS problem in calendar
•	security: fix a XSS problem in contacts

Version 4.0.0 May 22nd 2012
•	Nothing security listed

Version 3.0.3 April 27th 2012
•	Security: Several CSRF fixes
•	Security: .htaccess uploading blacklist

Version 3.0.2 April 11th 2012
•	Security: Make password hashes more random
•	Security: Fix a XXS problem

Version 3.0.1 April 3rd 2012
•	Nothing security listed

Version 3.0 January 31st 2012, Release Announcement
•	Nothing security listed




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQJeY0AAoJEBYNRVNeJnmTbXIP/0Ai7gfOkqCf4HYSiz5AK/1+
xaHZgGCD+gk1bOw/3LjquMXpJDqtZdniNMnC9+A0vOiKq1HSFHuy43X+Mhyx79U5
9/utnB+reeva22fohCrYWrQlV8ayw6hZPXR/84w1p+ety0ff+aK3Ri2c7racBnpP
hx9kWIq5noj00+/HUcM3bfKbFzwxiBedOgHv4vVnV5eHukO5HOmDfxHKMsR+POAT
1TjVPNdIxL6O+N8Mxxt00/hxhdjmjjR6/JJJknUW3h+NXLg0v9YMFiXkQKdnqOcD
TQPEG3Vgq/yoID2pT62Ro4B8extVGLqtsVckzuCRD+o9n+3b2eT1KpFoxeoCkztb
tXzabRX0mdWcspWbqQXZ8eITrvA15r6sXauxZYjz67n745iW3I9fPFBVtxg+3SQV
2BM+R12NkjvfSLJzfvRuYdhd2rJ2aw2jL4u3vMKeSY1mWd2GPgBo+KVGMl2L/pU3
LH9JoNj3EX0xUin8/Mndk1CA8NVjVqfgjxWC3uoRAuECU8oFXSS5W7ufhBQ7b9du
bodnn4IvGLS5Durx3qB3Ob/NandL2yjAKUMDFClqu7CdUx8XsCC3UpUrg7DF8dC5
Gyav7xiek9EPA+pEOdw1pIVFNA8nTpYcwitYMU7zm7E1AxRxKlJlnPaygF/7FyRP
8OA4UwFzQtCSDuQa+GMU
=/XiD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.