Re: [SECURITY] [DSA 3244-1] owncloud security update
Will do once you send me the pdf
On 02/05/15 12:15, Salvatore Bonaccorso wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3244-1 security@debian.org
> http://www.debian.org/security/ Salvatore Bonaccorso
> May 02, 2015 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : owncloud
> CVE ID : CVE-2015-3011 CVE-2015-3012 CVE-2015-3013
>
> Multiple vulnerabilities were discovered in ownCloud, a cloud storage
> web service for files, music, contacts, calendars and many more.
>
> CVE-2015-3011
>
> Hugh Davenport discovered that the "contacts" application shipped
> with ownCloud is vulnerable to multiple stored cross-site
> scripting attacks. This vulnerability is effectively exploitable
> in any browser.
>
> CVE-2015-3012
>
> Roy Jansen discovered that the "documents" application shipped with
> ownCloud is vulnerable to multiple stored cross-site scripting
> attacks. This vulnerability is not exploitable in browsers that
> support the current CSP standard.
>
> CVE-2015-3013
>
> Lukas Reschke discovered a blacklist bypass vulnerability, allowing
> authenticated remote attackers to bypass the file blacklist and
> upload files such as the .htaccess files. An attacker could leverage
> this bypass by uploading a .htaccess and execute arbitrary PHP code
> if the /data/ directory is stored inside the web root and a web
> server that interprets .htaccess files is used. On default Debian
> installations the data directory is outside of the web root and thus
> this vulnerability is not exploitable by default.
>
> For the stable distribution (jessie), these problems have been fixed in
> version 7.0.4+dfsg-4~deb8u1.
>
> For the testing distribution (stretch), these problems have been fixed
> in version 7.0.4+dfsg-3.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 7.0.4+dfsg-3.
>
> We recommend that you upgrade your owncloud packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJVRLEeAAoJEAVMuPMTQ89E2oIQAJmkTY8ot8KahtUjMXpUtBJU
> +tp5lekboH/QwAYe5L0anrCLTxIKj+VEhkjpINDWawgp2k91tkvIqxIHQpz3wZMr
> OpCzF7vzx9qEgOCMtgg/v9dShYdYZPogFKRZAllZV0yvEEfs2pE8UoUrzSAmDLHB
> 7QZ8DHPh0Wd4dkWx9SCw9HiarajgXDNxhQzKVHI7IGU8HnK5fJKGbgb1/udjJbGa
> UC/8oHfwMkhbYHH6IjfdMUJVEIBZUV5oGeWm6XVWyb3WaMZWmc+wwbvpEApf5kOO
> XOTq6jQX3e4V51G6hOiWa/696vnOLYepnpVh95UerkrgPE66Oi03IDlYL+CFn4mw
> uXZRDokXfZVJmCtzShiZ1XfYNoylysZtgU902cgGWUABtkZOkwp2wcw90PXjKC2s
> Zl3u02S316kpiavdkjVKIw/Efr1MXlEM0RhhRemcZH5f2piJ5eYCGbDmDJx8M/ok
> 653/wQZ+PjzHwFHjlB4JN1GPIk5I9+ZDzV3E+FqwNLVYQWLqYacEUHK8IS5Nd5hz
> cCs1opjqFPsi8eGWHSolnROoI9A36hIbNvGQAsa7sQvQN8mBwgqPUHYZ2ioE09c/
> ODGx/Q7piKnAegZrZxK6F+B0RZxgLDMzWzKhQe9naqxcfR///NaNNd1Eoi2Bo2bU
> jdbwlo2972o/74MscfoX
> =xYUK
> -----END PGP SIGNATURE-----
>
>
Reply to: