466474 – (CVE-2013-1967) <www-apps/owncloud-{4.5.10,5.0.5}: XSS and authentication bypass (CVE-2013-{1963,1967})

Bug 466474 (CVE-2013-1967) - <www-apps/owncloud-{4.5.10,5.0.5}: XSS and authentication bypass (CVE-2013-{1963,1967})

Summary: <www-apps/owncloud-{4.5.10,5.0.5}: XSS and authentication bypass (CVE-2013-{1...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1967

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-04-19 15:35 UTC by Sean Amoss (RETIRED)
Modified:	2013-04-21 12:55 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sean Amoss (RETIRED) gentoo-dev

2013-04-19 15:35:42 UTC

Upstream changelog [1] lists two security fixes in 5.0.5 and 4.5.10:

Security: XSS in flashmediaelement.swf (oC-SA-2013-017)
Security: Authentication bypass in calendar (oC-SA-2013-018)


oC-SA-2013-017 has been assigned [2] CVE-2013-1967.

The details of these issues have not yet been released on upstream's advisory page [3].


[1] http://owncloud.org/changelog/
[2] http://seclists.org/oss-sec/2013/q2/111
[3] http://owncloud.org/about/security/advisories

Comment 1 Bernard Cafarelli gentoo-dev

2013-04-19 21:38:39 UTC

5.0.5 And 4.5.10 are in tree now, I removed vulnerable 5.0.4 and 4.5.9 ebuilds

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2013-04-20 13:53:30 UTC

(In reply to comment #1)
> 5.0.5 And 4.5.10 are in tree now, I removed vulnerable 5.0.4 and 4.5.9
> ebuilds

Thanks, Bernard.

Closing noglsa for ~arch only.