Bug#781274: unblock: owncloud/7.0.4+dfsg-4

To: David Prévot <taffit@debian.org>
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 781274@bugs.debian.org, team@security.debian.org
Subject: Bug#781274: unblock: owncloud/7.0.4+dfsg-4
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 1 May 2015 07:41:44 +0200
Message-id: <[🔎] 20150501054144.GA24291@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 781274@bugs.debian.org
In-reply-to: <20150425201733.GA24912@eldamar.local>
References: <20150326192637.GA30163@mikado.tilapin.org> <20150412124652.GR16466@betterave.cristau.org> <20150412161527.GA14905@mikado.tilapin.org> <20150413045319.GA31420@mikado.tilapin.org> <20150418200941.GA16148@mikado.tilapin.org> <1429980778.18212.29.camel@adam-barratt.org.uk> <20150425201733.GA24912@eldamar.local>

Hi David and Adam,

On Sat, Apr 25, 2015 at 10:17:33PM +0200, Salvatore Bonaccorso wrote:
> Hi Adam, hi David,
> 
> On Sat, Apr 25, 2015 at 05:52:58PM +0100, Adam D. Barratt wrote:
> > On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote:
> > [...]
> > > The said period now started (yet I can’t find any definition of what
> > > that means exactly), and the three security issues affecting owncloud,
> > > having their targeted fixes available in Sid, still affect the version
> > > in Jessie.
> > > 
> > > Adding the security team in the loop for advice: what is the way to move
> > > forward now? (Will the pending unblock requests be processed and I
> > > shouldn’t worry, will the issues warrant a DSA and should I prepare it,
> > > should we rather make a pu request, something else?)
> > 
> > The unblock has semi-automagically (via a device named a jmw) been
> > converted to a p-u request, but I'd still appreciate the security team's
> > input on this.
> 
> Ok.
> 
> > None of CVE-2015-301[123] currently have "no-dsa" markers on the
> > security tracker so it's quite possible that a DSA would be appropriate.
> 
> I think nobody has looked in the concrete three at the moment. But I
> will try to do so tomorrow and give feedback. From a rough overview I
> think both CVE-2015-3012 and CVE-2015-3013 are more like no-dsa (since
> the first is mitigated in modern browsers and the second is due to
> non-recommended setups).
> 
> The CVE-2015-3011 actually is exposed without protection, since "While
> ownCloud advises browsers to disable inline JavaScript execution this
> vulnerability is caused by a eval like construct which is currently
> allowed in our default Content-Security-Policy, thus this is
> effectively exploitable in any browser.".
> 
> David, CVE-2015-3011 is exploitable if a victim user tries to edit a
> specially crafted contact item which he has access to?

So I checked the diff, but honestly I havent tried to diff

 patches/0011-Apply-some-upstream-patches.patch  | 1745  ++++++++++++++++++++++++

regarding the WebODF changes.

The other non-CVE relevant changes look ok to me too, so the occ call
in postinst and the move of php5-cli to the Depends. (But not checked
an actual upgrade of the resulting owncloud packages).

Can you prepare an update to be released through jessie-security for
owncloud? Use distribution set to jessie-security and make sure to
build with -sa since the package will be new to dak on
security-master. Since the upload will be mainly 7.0.4+dfsg-4 rebuild
for jessie-security you can use 7.0.4+dfsg-4~deb8u1 as version.

Regards,
Salvatore

Reply to:

Prev by Date: Bug#781726: how to solve the live-tools upgrade issue? #781725
Next by Date: Re: 8.1 (and maybe 7.9) planning
Previous by thread: Bug#781726: how to solve the live-tools upgrade issue? #781725
Next by thread: Re: 8.1 (and maybe 7.9) planning
Index(es):
- Date
- Thread