Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 465538 (CVE-2013-1942)

Summary: <www-apps/owncloud-{4.0.14,4.5.9,5.0.4}: XSS and insecure database passwords generated (CVE-2013-{1941,1942})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alexxy, voyageur, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/04/11/4
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Sean Amoss (RETIRED) gentoo-dev Security 2013-04-11 14:57:13 UTC 
From the upstream notification at $URL:

# XSS vulnerability in jPlayer (oC-SA-2013-014)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-014/

## CVE IDENTIFIERS
- CVE-2013-1942 (jPlayer)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- High

## COMMITS
- 53672a0 (stable5)
- 8716b7f (stable45)
- 60f6bfa (stable4)


## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.4 including the 4.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the used 3rdparty plugin �jPlayer�,
�jPlayer� released version 2.2.20 which addresses the problem. This
version is not yet officially released and only available via their
GIT repository.


## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.


## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2

---------------------------------------

# Postgre: Insecure database password generator (oC-SA-2013-015)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-015/

## CVE IDENTIFIERS
- CVE-2013-1941

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- Critical

## COMMITS
- 9a4fe09 (stable5)
- 463039d (stable45)
- cdd10ba (stable4)

## DESCRIPTION

Due to using �time()� as random source in the installation routine,
the entropy of the generated PostgreSQL database user password is very
low and can be easily guessed.

We recommend every PostgreSQL admin to change the database user
password as soon as possible!

Note: This vulnerability affects just servers using PostgreSQL as database.

## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2
Comment 1 Bernard Cafarelli gentoo-dev 2013-04-11 19:01:32 UTC 
Bumped versions in tree and vulnerable versions removed (all 3 branches)
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-12 11:20:13 UTC 
Thanks, Bernard!

Closing noglsa for ~arch only.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 16:30:07 UTC 
CVE-2013-1942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1942):
  Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the
  Flash SWF component in jPlayer before 2.2.20, as used in ownCloud Server
  before 5.0.4 and other products, allows remote attackers to inject arbitrary
  web script or HTML via unspecified vectors, a different vulnerability than
  CVE-2013-2022 and CVE-2013-2023.