Per $URL: We have released ownCloud server versions 9.0.4, 8.2.7, 8.1.9 and 8.0.14, which contain several bug fixes as well as security-related issues. A third party component called “Guzzle” is affected by HTTPoxy vulnerability (as filed as CVE-2016-5385 for PHP). This component, which handles http requests on behalf of ownCloud can be tricked into passing inbound requests to a proxy server controlled by a third party. in combination with the ajax cron feature, the third party can potentially see external storage credentials and data. We recommend to use system cron whenever possible, which also significantly improves reliability and experience. Mitigation/Fix If possible, we recommend an immediate update to 9.0.4, 8.2.7 or 8.1.9 respectively, which each contain a patch for Guzzle. ownCloud 8.0 is shipping an older version of Guzzle and is not affected. However, 8.0.14 fixes a number of other issues and we encourage everyone on older versions of 8.0 to update right away as well. New versions are in tree, and I removed vulnerable versions (8.1, 8.2, 9.0 branches)
CVE-2016-5385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385): PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
(In reply to Bernard Cafarelli from comment #0) > Per $URL: > We have released ownCloud server versions 9.0.4, 8.2.7, 8.1.9 and 8.0.14, > which contain several bug fixes as well as security-related issues. > > A third party component called “Guzzle” is affected by HTTPoxy vulnerability > (as filed as CVE-2016-5385 for PHP). This component, which handles http > requests on behalf of ownCloud can be tricked into passing inbound requests > to a proxy server controlled by a third party. in combination with the ajax > cron feature, the third party can potentially see external storage > credentials and data. We recommend to use system cron whenever possible, > which also significantly improves reliability and experience. > > Mitigation/Fix > > If possible, we recommend an immediate update to 9.0.4, 8.2.7 or 8.1.9 > respectively, which each contain a patch for Guzzle. ownCloud 8.0 is > shipping an older version of Guzzle and is not affected. However, 8.0.14 > fixes a number of other issues and we encourage everyone on older versions > of 8.0 to update right away as well. > > > New versions are in tree, and I removed vulnerable versions (8.1, 8.2, 9.0 > branches) Thanks :)
