From the upstream notification at $URL: # XSS vulnerability in jPlayer (oC-SA-2013-014) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-014/ ## CVE IDENTIFIERS - CVE-2013-1942 (jPlayer) ## AFFECTED SOFTWARE - ownCloud Server < 5.0.4 - ownCloud Server < 4.5.9 - ownCloud Server < 4.0.14 ## RISK - High ## COMMITS - 53672a0 (stable5) - 8716b7f (stable45) - 60f6bfa (stable4) ## DESCRIPTION A cross-site scripting (XSS) vulnerability in all ownCloud versions prior to 5.0.4 including the 4.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the used 3rdparty plugin �jPlayer�, �jPlayer� released version 2.2.20 which addresses the problem. This version is not yet officially released and only available via their GIT repository. ## CREDITS The ownCloud Team would like to thank Malte Batram (batr.am) for discovering this vulnerability and responsibly disclosing this to us and upstream. ## RESOLUTION Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14 http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2 http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2 --------------------------------------- # Postgre: Insecure database password generator (oC-SA-2013-015) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-015/ ## CVE IDENTIFIERS - CVE-2013-1941 ## AFFECTED SOFTWARE - ownCloud Server < 5.0.4 - ownCloud Server < 4.5.9 - ownCloud Server < 4.0.14 ## RISK - Critical ## COMMITS - 9a4fe09 (stable5) - 463039d (stable45) - cdd10ba (stable4) ## DESCRIPTION Due to using �time()� as random source in the installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. We recommend every PostgreSQL admin to change the database user password as soon as possible! Note: This vulnerability affects just servers using PostgreSQL as database. ## RESOLUTION Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14 http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2 http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2
Bumped versions in tree and vulnerable versions removed (all 3 branches)
Thanks, Bernard! Closing noglsa for ~arch only.
CVE-2013-1942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1942): Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.