Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 552630

Summary: <www-apps/owncloud-{5.0.19,6.0.7,7.0.5}: Multiple vulnerabilities (CVE-2015-{3011,3012,3013})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: voyageur, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 13:42:35 UTC 
CVE-2015-3013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3013):
  ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows
  remote authenticated users to bypass the file blacklist and upload arbitrary
  files via a file path with UTF-8 encoding, as demonstrated by uploading a
  .htaccess file.

CVE-2015-3012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3012):
  Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5,
  as used in ownCloud, allow remote attackers to inject arbitrary web script
  or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI.

CVE-2015-3011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3011):
  Multiple cross-site scripting (XSS) vulnerabilities in the contacts
  application in ownCloud Server Community Edition before 5.0.19, 6.x before
  6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject
  arbitrary web script or HTML via a crafted contact.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2015-06-20 13:43:22 UTC 
Opened for tracking CVEs.

Closing noglsa for ~arch only.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2015-06-20 13:46:02 UTC 
Mar 2015; Bernard Cafarelli <voyageur@gentoo.org> -owncloud-5.0.18.ebuild,
  +owncloud-5.0.19.ebuild, -owncloud-6.0.6.ebuild, +owncloud-6.0.7.ebuild,
  -owncloud-7.0.4.ebuild, +owncloud-7.0.5.ebuild, +owncloud-8.0.2.ebuild:
  Version bumps, remove previous versions for old branches as some changelogs
  report security fixes


And maintainers: in the future, please report a security bug when you are aware that there are security fixes.