Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 431574 (CVE-2012-4389) - <www-apps/owncloud-4.0.7 version bump (CVE-2012-{4389,4390,4391})
Summary: <www-apps/owncloud-4.0.7 version bump (CVE-2012-{4389,4390,4391})
Status: RESOLVED FIXED
Alias: CVE-2012-4389
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-15 22:29 UTC by Matija "hook" Šuklje
Modified: 2012-09-08 15:48 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matija "hook" Šuklje 2012-08-15 22:29:47 UTC 
ownCloud 4.0.7 is out and includes important security fixes. Please bump the ebuild.

(Also I’m running 4.0.5 on ARM and it works, so you IMHO it could be at least keyworded with ~arm)
Comment 1 Jesse Adelman 2012-08-19 21:21:05 UTC 
Changelog:

---
Version 4.0.7 Aug 15th 2012

    Show Login Button when user and password are auto-completed
    Sanitize LDAP base, user and groups
    Fix non active Adressbooks
    Calendar: Remove double html encoding
    Fix label for versioning in admin settings
    Add parent directory into filecache if it Âdoesn´t exist
    Handle non writable files correctly
    Disable webfinger completely if not activated
    Security: Disable user listings in DAV
    Check file blacklist for file renames
    Security: Fix XSS bug in Gallery
    Security: Several CSRF security fixes
    Security: Validate cookie to prevent auth bypasses
    Special thanks to Julien Cayssol for reporting several security problems

Download: http://download.owncloud.org/releases/owncloud-4.0.7.tar.bz2
MD5: http://download.owncloud.org/releases/owncloud-4.0.7.tar.bz2.md5
---

Cheers!
Comment 2 Bernard Cafarelli gentoo-dev 2012-08-21 08:28:53 UTC 
Thanks for the report! 4.0.7 is in tree now (I have limited availability in august, so bumps may be delayed for a few days)

For arm keywording, can you open a separate bug?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:46:09 UTC 
CVE-2012-4391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4391):
  Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php
  in ownCloud before 4.0.7 allows remote attackers to hijack the
  authentication of administrators for requests that edit the app
  configurations.

CVE-2012-4390 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4390):
  (1) apps/calendar/appinfo/remote.php and (2)
  apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote
  authenticated users to enumerate the registered users via unspecified
  vectors.

CVE-2012-4389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4389):
  Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before
  4.0.7 allows remote attackers to execute arbitrary code by uploading a
  crafted .htaccess file in an import.zip file and accessing an uploaded PHP
  file.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-08 15:48:08 UTC 
Maintainers, please ensure that security bugs are turned over to the security team.