Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Aug 2013 23:33:38 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com, security@...cloud.com
Subject: owncloud 5.0.8 and 4.5.13 (oC-SA-2013-029 and oC-SA-2013-030) - CVE
 assignments?

Hi

(not a CVE request per se more to clarify/ask back): Owncloud 4.5.13
and 5.0.8 fixed both bugs marked SECURITY at [1].

 [1] http://owncloud.org/releases/Changelog

Release  "5.0.8"
July 9. 2013

- SECURITY: XSS vulnerability in "Share Interface" (oC-SA-2013-029)
- SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030)
- New anonymous upload feature
- Fix syncing of external filesystems
- External filesystems performance improvements
- Improve compatibility with Oracle
- Improved and simplified theming
- Internet explorer 8 fixes
- Fixes for partial file uploads
- LDAP: fix handling of User and Group Bases
- Improved and more robust upgrade system
- A lot of encryption system fixes
- Do not add groups if user has no groups
- Several Contacts fixes
- A lot of smaller bugfixes all over the place

Download: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2
MD5: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2.md5

-------------------------------
Release  "4.5.13"
July 9. 2013

- SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030)
- Fixed deleting old files versions

Download: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2
MD5: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2.md5

Looking at [2] there are no reference to oC-SA-2013-029 and
oC-SA-2013-030 and CVE assignments for these issues. Where they
already requested? (Cc'ing also the security@...cloud.com team,
reading from [3] it's not clear if they where already assigned).

But the following might be emphasized (from [3]):

[11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my job.
[11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some very special and unusuable setups

 [2] http://owncloud.org/about/security/advisories/
 [3] https://bugs.mageia.org/show_bug.cgi?id=10763#c8

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.