Version 5.0.2 was released and contains a fix for a very annoying file-conflict bug: https://github.com/owncloud/mirall/issues/446#issuecomment-15773371 Because of this bug, I set the severity to normal instead of the usual enhancement. Reproducible: Always
This release fixes a critical bug, so I put the severity back to "normal" as stated in the original report.
Thanks for the report! I follow upstream releases list and I am waiting for 5.0.3 (due today or tomorrow) which fixes upgrades from 5.0.0 before adding to tree. Re-assigning to security though, as changelog for 5.0.1 mentions 2 security issues (no details available yet, but they should only affect the 5.x branch)
The new version is now available: Version 5.0.3 April 3th 2013 Correctly handle .part files Improve PostgreSQL support Fix database upgrading from old versions Improved app styles
And it is in portage CVS, please wait for the next sync and you should have it @security, vulnerabilities are not yet public: http://owncloud.org/about/security/advisories/oC-SA-2013-011/ http://owncloud.org/about/security/advisories/oC-SA-2013-012/ previous 5.x versions removed from tree
An update from 5.0.0 -> 5.0.3 using postgres fails: Updating ownCloud to version 5.0.3, this may take a while. Turned on maintenance mode Updated database SQLSTATE[42703]: Undefined column: 7 ERROR: column "{DAV:}getetag" does not exist LINE 1: ...id" = $1 AND propertypath = $2 AND propertyname = "{DAV:}get... ^ see here: https://github.com/owncloud/core/issues/2709 (sorry if this should be a new bug)
A working 5.0.3 for the bump would be nicer :) From the bugreport, this patch should fix the problem, can you test? https://github.com/owncloud/core/commit/e75406e7120271ebfecf2260b95040509dfcf168.diff I'll make a 5.0.3-r1 with it if it works for you (I only have mysql setups around)
Patch added after positive feedback from upstream bug (https://github.com/owncloud/core/issues/2666) in 5.0.3-r1 Vulnerabilities now have CVE ids: CVE-2013-1890 and CVE-2013-1893
The change - applied to the live webtree - works for me.
Thanks, everyone. Closing noglsa for ~arch only issue.
CVE-2013-1893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1893): SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application. CVE-2013-1890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1890): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/.