Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 30 Nov 2012 11:12:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jamie Strandboge <jamie@...onical.com>, security@...cloud.org
Subject: Re: CVE Request: owncloud

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2012 08:29 AM, Jamie Strandboge wrote:
> Owncloud 4.5.2 and 4.0.9 has a few security fixes: 
> http://owncloud.org/changelog/
> 
> Specifically: - Multiple XSS vulnerabilities (oC-SA-2012-001)

http://owncloud.org/security/advisories/oc-sa-2012-001/
Please use CVE-2012-5606 for this issue.

> - Timing attack in the “Lost Password” implementation
> (oC-SA-2012-002)

http://owncloud.org/security/advisories/oc-sa-2012-002/
Please use CVE-2012-5607 for this issue.

> - XSS vulnerability in user_webdavauth (oC-SA-2012-003)

http://owncloud.org/security/advisories/oc-sa-2012-003/
Please use CVE-2012-5608 for this issue.

> - Code Execution in /lib/migrate.php (oC-SA-2012-004)

http://owncloud.org/security/advisories/oc-sa-2012-004/
Please use CVE-2012-5609 for this issue.

> - Code Execution in /lib/filesystem.php (oC-SA-2012-005)

http://owncloud.org/security/advisories/oc-sa-2012-005/
Please use CVE-2012-5610 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQuPclAAoJEBYNRVNeJnmTlGoQAJiRk2ucXjqxrB1+lBVZq5wz
CFQ0t9e+cJlGiBMwOPEgGKmsXr5Tj6wLQ4E+S0CSy8+MDpvpOIas/WJyIRPH94s2
hTuYnCCoaoA0pe0WrF/8Fv/eEqN3xZzjbStm3Iv4iAIkSNA9iDQNqR9yJUu/fDHa
NFpwwjT7DAuqIYT0/jASVvQy5rcm47bGVtdE438T9+OJoi2/8oZPRLXwgkpUYuMd
PL+CrCxAmwAFjkhUFZ9IJ7wkFJwQv8CydEo/Kj1MPit8DqA5qX2q7QLKBFKPuTOy
EqaBvCcXP4zchEfdODbjxCbxaGuUG1kkYP1JVkpJjC4kFPa7AS3sYECxGCpy8Gb7
8Uj+JaRLHp/cIWJqHAVxYnvv9iUuc1T83L1NJv5hCWZD3i16qaix297foNSV9mrY
lAqWxJgvSus5M4Ce4Gt0HARDwzonFB1Kkclpk8PTFxNRmdDDPZUcy7ZoOhvDPHrI
qtcIqjVZR6/EpZkms77usa1+rza0NqcLCMqeSNCdqbrFMt9z13xnsuBADVgOJNLm
ZtYDnxonyrdJTKNOofldGdMUowcpuXLZT6n1J7XdCfsfpnoPIuoUylFgFcSOsihs
eYVIYgGlflnzPKvj7w+YWyRX+0Ed1mowO3eBt/DlAiSdIMna1V6YGZMa1GjhwXVB
Bm+IOUPVzHTo+L8ATXkz
=KXaN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.