Summary: | <www-apps/owncloud-4.0.7 version bump (CVE-2012-{4389,4390,4391}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matija "hook" Šuklje <matija> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | bugzie, gustav.schaffter, jesse, voyageur, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matija "hook" Šuklje
2012-08-15 22:29:47 UTC
Changelog: --- Version 4.0.7 Aug 15th 2012 Show Login Button when user and password are auto-completed Sanitize LDAP base, user and groups Fix non active Adressbooks Calendar: Remove double html encoding Fix label for versioning in admin settings Add parent directory into filecache if it Âdoesn´t exist Handle non writable files correctly Disable webfinger completely if not activated Security: Disable user listings in DAV Check file blacklist for file renames Security: Fix XSS bug in Gallery Security: Several CSRF security fixes Security: Validate cookie to prevent auth bypasses Special thanks to Julien Cayssol for reporting several security problems Download: http://download.owncloud.org/releases/owncloud-4.0.7.tar.bz2 MD5: http://download.owncloud.org/releases/owncloud-4.0.7.tar.bz2.md5 --- Cheers! Thanks for the report! 4.0.7 is in tree now (I have limited availability in august, so bumps may be delayed for a few days) For arm keywording, can you open a separate bug? CVE-2012-4391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4391): Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. CVE-2012-4390 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4390): (1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. CVE-2012-4389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4389): Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. Maintainers, please ensure that security bugs are turned over to the security team. |