Date: Fri, 10 Aug 2012 22:57:24 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Bruno Kleinert <fuddl@...ian.org>, mtgap@...cloud.com Subject: ownCloud - matching CVEs to fix information and vice versa -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok so I started looking at ownCloud to make sure I didn't issue a duplicate. We have the following 4 CVE entries for ownCloud and no way to match them to a fixed version. CVE-2012-2398 Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Is CVE-2012-2398 fixed in 3.0.3? CVE-2012-2397 Cross-site request forgery (CSRF) vulnerability in ownCloud 3.0.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Is CVE-2012-2397 fixed in 3.0.3? CVE-2012-2270 Open redirect vulnerability in index.php (aka the Login Page) in ownCloud 3.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter. Is CVE-2012-2270 fixed in 3.0.1? CVE-2012-2269 Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 3.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php. Is CVE-2012-2269 fixed in 3.0.1 Can you please confirm that these issues have been fixed, and in what version of ownCloud? It would be very helpful if you could put the CVE #'s into the ChangeLog at http://owncloud.org/changelog/ Once these 4 have been confirmed I can assign a CVE for the new issue and the outstanding ones: Version 4.0.6 Aug 1th 2012 • Security: Check for Admin user in appconfig.php • Security: Several CSRF security fixes Version 4.0.5 July 20th 2012 • Several CSRF security fixes Version 4.0.4 June 28th 2012 • Nothing security listed Version 4.0.3 June 23rd 2012 • Fix several XSS bugs • Implement several CSRF security checks Version 4.0.2 June 11th 2012 • Several XSS fixes in calendar • Several XSS fixes in contacts Version 4.0.1 June 4th 2012 • security: fix a XSS problem in calendar • security: fix a XSS problem in contacts Version 4.0.0 May 22nd 2012 • Nothing security listed Version 3.0.3 April 27th 2012 • Security: Several CSRF fixes • Security: .htaccess uploading blacklist Version 3.0.2 April 11th 2012 • Security: Make password hashes more random • Security: Fix a XXS problem Version 3.0.1 April 3rd 2012 • Nothing security listed Version 3.0 January 31st 2012, Release Announcement • Nothing security listed - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQJeY0AAoJEBYNRVNeJnmTbXIP/0Ai7gfOkqCf4HYSiz5AK/1+ xaHZgGCD+gk1bOw/3LjquMXpJDqtZdniNMnC9+A0vOiKq1HSFHuy43X+Mhyx79U5 9/utnB+reeva22fohCrYWrQlV8ayw6hZPXR/84w1p+ety0ff+aK3Ri2c7racBnpP hx9kWIq5noj00+/HUcM3bfKbFzwxiBedOgHv4vVnV5eHukO5HOmDfxHKMsR+POAT 1TjVPNdIxL6O+N8Mxxt00/hxhdjmjjR6/JJJknUW3h+NXLg0v9YMFiXkQKdnqOcD TQPEG3Vgq/yoID2pT62Ro4B8extVGLqtsVckzuCRD+o9n+3b2eT1KpFoxeoCkztb tXzabRX0mdWcspWbqQXZ8eITrvA15r6sXauxZYjz67n745iW3I9fPFBVtxg+3SQV 2BM+R12NkjvfSLJzfvRuYdhd2rJ2aw2jL4u3vMKeSY1mWd2GPgBo+KVGMl2L/pU3 LH9JoNj3EX0xUin8/Mndk1CA8NVjVqfgjxWC3uoRAuECU8oFXSS5W7ufhBQ7b9du bodnn4IvGLS5Durx3qB3Ob/NandL2yjAKUMDFClqu7CdUx8XsCC3UpUrg7DF8dC5 Gyav7xiek9EPA+pEOdw1pIVFNA8nTpYcwitYMU7zm7E1AxRxKlJlnPaygF/7FyRP 8OA4UwFzQtCSDuQa+GMU =/XiD -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ