Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 465538 (CVE-2013-1942) - <www-apps/owncloud-{4.0.14,4.5.9,5.0.4}: XSS and insecure database passwords generated (CVE-2013-{1941,1942})
Summary: <www-apps/owncloud-{4.0.14,4.5.9,5.0.4}: XSS and insecure database passwords ...
Status: RESOLVED FIXED
Alias: CVE-2013-1942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-11 14:57 UTC by Sean Amoss (RETIRED)
Modified: 2013-08-27 16:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2013-04-11 14:57:13 UTC
From the upstream notification at $URL:

# XSS vulnerability in jPlayer (oC-SA-2013-014)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-014/

## CVE IDENTIFIERS
- CVE-2013-1942 (jPlayer)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- High

## COMMITS
- 53672a0 (stable5)
- 8716b7f (stable45)
- 60f6bfa (stable4)


## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.4 including the 4.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the used 3rdparty plugin �jPlayer�,
�jPlayer� released version 2.2.20 which addresses the problem. This
version is not yet officially released and only available via their
GIT repository.


## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.


## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2

---------------------------------------

# Postgre: Insecure database password generator (oC-SA-2013-015)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-015/

## CVE IDENTIFIERS
- CVE-2013-1941

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- Critical

## COMMITS
- 9a4fe09 (stable5)
- 463039d (stable45)
- cdd10ba (stable4)

## DESCRIPTION

Due to using �time()� as random source in the installation routine,
the entropy of the generated PostgreSQL database user password is very
low and can be easily guessed.

We recommend every PostgreSQL admin to change the database user
password as soon as possible!

Note: This vulnerability affects just servers using PostgreSQL as database.

## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2
Comment 1 Bernard Cafarelli gentoo-dev 2013-04-11 19:01:32 UTC
Bumped versions in tree and vulnerable versions removed (all 3 branches)
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-12 11:20:13 UTC
Thanks, Bernard!

Closing noglsa for ~arch only.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 16:30:07 UTC
CVE-2013-1942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1942):
  Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the
  Flash SWF component in jPlayer before 2.2.20, as used in ownCloud Server
  before 5.0.4 and other products, allows remote attackers to inject arbitrary
  web script or HTML via unspecified vectors, a different vulnerability than
  CVE-2013-2022 and CVE-2013-2023.