CVE-2021-29659: ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance. The advisory says "mitigation is now properly enforced", but i'm not sure when "now" is in relation to OwnCloud releases. Maintainers, are you about to discern a fixed version for this?
As far as I can see, "now" is current master only: 10.7 was released on 2021-03-26 so quite a while before the CVE, and I think the relevant fix is https://github.com/owncloud/core/pull/38689 - closest I could find in the changelog https://owncloud.com/changelog/server/ That patch applies cleanly to 10.7 so I can add it while bumping version
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad56745900b2993f9f0c0ebdc55fa64933f4599 commit 2ad56745900b2993f9f0c0ebdc55fa64933f4599 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-04 07:40:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-04 09:28:38 +0000 www-apps/owncloud: 10.7.0 bump, with security fix backport Add https://github.com/owncloud/core/pull/38689 that fixes senstitive exception data exposure Bug: https://bugs.gentoo.org/794091 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/owncloud/Manifest | 1 + .../owncloud-10.7.0-share_data_exposure.patch | 78 ++++++++++++++++++++++ www-apps/owncloud/owncloud-10.7.0.ebuild | 49 ++++++++++++++ 3 files changed, 128 insertions(+)
Thanks, all done!
