Re: [SECURITY] [DSA 3244-1] owncloud security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3244-1] owncloud security update
From: Souradip Mookerjee <souramoo@gmx.com>
Date: Sat, 02 May 2015 12:23:34 +0100
Message-id: <[🔎] 5544B3B6.1050305@gmx.com>
In-reply-to: <E1YoVOR-0002tt-5s@master.debian.org>
References: <E1YoVOR-0002tt-5s@master.debian.org>

Will do once you send me the pdf

On 02/05/15 12:15, Salvatore Bonaccorso wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3244-1                   security@debian.org
> http://www.debian.org/security/                      Salvatore Bonaccorso
> May 02, 2015                           http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package        : owncloud
> CVE ID         : CVE-2015-3011 CVE-2015-3012 CVE-2015-3013
>
> Multiple vulnerabilities were discovered in ownCloud, a cloud storage
> web service for files, music, contacts, calendars and many more.
>
> CVE-2015-3011
>
>     Hugh Davenport discovered that the "contacts" application shipped
>     with ownCloud is vulnerable to multiple stored cross-site
>     scripting attacks. This vulnerability is effectively exploitable
>     in any browser.
>
> CVE-2015-3012
>
>     Roy Jansen discovered that the "documents" application shipped with
>     ownCloud is vulnerable to multiple stored cross-site scripting
>     attacks. This vulnerability is not exploitable in browsers that
>     support the current CSP standard.
>
> CVE-2015-3013
>
>     Lukas Reschke discovered a blacklist bypass vulnerability, allowing
>     authenticated remote attackers to bypass the file blacklist and
>     upload files such as the .htaccess files. An attacker could leverage
>     this bypass by uploading a .htaccess and execute arbitrary PHP code
>     if the /data/ directory is stored inside the web root and a web
>     server that interprets .htaccess files is used. On default Debian
>     installations the data directory is outside of the web root and thus
>     this vulnerability is not exploitable by default.
>
> For the stable distribution (jessie), these problems have been fixed in
> version 7.0.4+dfsg-4~deb8u1.
>
> For the testing distribution (stretch), these problems have been fixed
> in version 7.0.4+dfsg-3.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 7.0.4+dfsg-3.
>
> We recommend that you upgrade your owncloud packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJVRLEeAAoJEAVMuPMTQ89E2oIQAJmkTY8ot8KahtUjMXpUtBJU
> +tp5lekboH/QwAYe5L0anrCLTxIKj+VEhkjpINDWawgp2k91tkvIqxIHQpz3wZMr
> OpCzF7vzx9qEgOCMtgg/v9dShYdYZPogFKRZAllZV0yvEEfs2pE8UoUrzSAmDLHB
> 7QZ8DHPh0Wd4dkWx9SCw9HiarajgXDNxhQzKVHI7IGU8HnK5fJKGbgb1/udjJbGa
> UC/8oHfwMkhbYHH6IjfdMUJVEIBZUV5oGeWm6XVWyb3WaMZWmc+wwbvpEApf5kOO
> XOTq6jQX3e4V51G6hOiWa/696vnOLYepnpVh95UerkrgPE66Oi03IDlYL+CFn4mw
> uXZRDokXfZVJmCtzShiZ1XfYNoylysZtgU902cgGWUABtkZOkwp2wcw90PXjKC2s
> Zl3u02S316kpiavdkjVKIw/Efr1MXlEM0RhhRemcZH5f2piJ5eYCGbDmDJx8M/ok
> 653/wQZ+PjzHwFHjlB4JN1GPIk5I9+ZDzV3E+FqwNLVYQWLqYacEUHK8IS5Nd5hz
> cCs1opjqFPsi8eGWHSolnROoI9A36hIbNvGQAsa7sQvQN8mBwgqPUHYZ2ioE09c/
> ODGx/Q7piKnAegZrZxK6F+B0RZxgLDMzWzKhQe9naqxcfR///NaNNd1Eoi2Bo2bU
> jdbwlo2972o/74MscfoX
> =xYUK
> -----END PGP SIGNATURE-----
>
>

Reply to:

Prev by Date: Is there a security vulnerability in cURL in Debian Wheezy? Please clarify
Next by Date: Archived Debian releases without security site: lists.debian.org
Previous by thread: Is there a security vulnerability in cURL in Debian Wheezy? Please clarify
Next by thread: Archived Debian releases without security site: lists.debian.org
Index(es):
- Date
- Thread