[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781274: unblock: owncloud/7.0.4+dfsg-4

Hi David and Adam,

On Sat, Apr 25, 2015 at 10:17:33PM +0200, Salvatore Bonaccorso wrote:
> Hi Adam, hi David,
> On Sat, Apr 25, 2015 at 05:52:58PM +0100, Adam D. Barratt wrote:
> > On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote:
> > [...]
> > > The said period now started (yet I can’t find any definition of what
> > > that means exactly), and the three security issues affecting owncloud,
> > > having their targeted fixes available in Sid, still affect the version
> > > in Jessie.
> > > 
> > > Adding the security team in the loop for advice: what is the way to move
> > > forward now? (Will the pending unblock requests be processed and I
> > > shouldn’t worry, will the issues warrant a DSA and should I prepare it,
> > > should we rather make a pu request, something else?)
> > 
> > The unblock has semi-automagically (via a device named a jmw) been
> > converted to a p-u request, but I'd still appreciate the security team's
> > input on this.
> Ok.
> > None of CVE-2015-301[123] currently have "no-dsa" markers on the
> > security tracker so it's quite possible that a DSA would be appropriate.
> I think nobody has looked in the concrete three at the moment. But I
> will try to do so tomorrow and give feedback. From a rough overview I
> think both CVE-2015-3012 and CVE-2015-3013 are more like no-dsa (since
> the first is mitigated in modern browsers and the second is due to
> non-recommended setups).
> The CVE-2015-3011 actually is exposed without protection, since "While
> ownCloud advises browsers to disable inline JavaScript execution this
> vulnerability is caused by a eval like construct which is currently
> allowed in our default Content-Security-Policy, thus this is
> effectively exploitable in any browser.".
> David, CVE-2015-3011 is exploitable if a victim user tries to edit a
> specially crafted contact item which he has access to?

So I checked the diff, but honestly I havent tried to diff

 patches/0011-Apply-some-upstream-patches.patch  | 1745  ++++++++++++++++++++++++

regarding the WebODF changes.

The other non-CVE relevant changes look ok to me too, so the occ call
in postinst and the move of php5-cli to the Depends. (But not checked
an actual upgrade of the resulting owncloud packages).

Can you prepare an update to be released through jessie-security for
owncloud? Use distribution set to jessie-security and make sure to
build with -sa since the package will be new to dak on
security-master. Since the upload will be mainly 7.0.4+dfsg-4 rebuild
for jessie-security you can use 7.0.4+dfsg-4~deb8u1 as version.


Reply to: