Hi Adam, hi David, On Sat, Apr 25, 2015 at 05:52:58PM +0100, Adam D. Barratt wrote: > On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote: > [...] > > The said period now started (yet I can’t find any definition of what > > that means exactly), and the three security issues affecting owncloud, > > having their targeted fixes available in Sid, still affect the version > > in Jessie. > > > > Adding the security team in the loop for advice: what is the way to move > > forward now? (Will the pending unblock requests be processed and I > > shouldn’t worry, will the issues warrant a DSA and should I prepare it, > > should we rather make a pu request, something else?) > > The unblock has semi-automagically (via a device named a jmw) been > converted to a p-u request, but I'd still appreciate the security team's > input on this. Ok. > None of CVE-2015-301[123] currently have "no-dsa" markers on the > security tracker so it's quite possible that a DSA would be appropriate. I think nobody has looked in the concrete three at the moment. But I will try to do so tomorrow and give feedback. From a rough overview I think both CVE-2015-3012 and CVE-2015-3013 are more like no-dsa (since the first is mitigated in modern browsers and the second is due to non-recommended setups). The CVE-2015-3011 actually is exposed without protection, since "While ownCloud advises browsers to disable inline JavaScript execution this vulnerability is caused by a eval like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.". David, CVE-2015-3011 is exploitable if a victim user tries to edit a specially crafted contact item which he has access to? Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature