Bug 178628 - Critical fixes on www/owncloud (SQL inject, XSS & CSRF)
Summary: Critical fixes on www/owncloud (SQL inject, XSS & CSRF)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Frederic Culot
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-14 15:40 UTC by loic.blot
Modified: 2013-06-11 22:06 UTC (History)
0 users

See Also:

Attachments
own.diff (797 bytes, patch)
2013-05-14 15:40 UTC, loic.blot 		no flags Details | Diff
file.dat (230 bytes, text/plain; charset="us-ascii")
2013-05-14 15:32 UTC, loic.blot 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description loic.blot 2013-05-14 15:32:20 UTC 
>Number:         178628
>Category:       ports
>Synopsis:       Critical fixes on owncloud (SQL inject, XSS & CSRF)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 14 14:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Loic Blot
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
Centre National de la Recherche Scientifique
>Environment:
System: FreeBSD www.unix-experience.fr 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64


>Description:
	SECURITY: SQL Injection (oC-SA-2013-019)
	SECURITY: Multiple directory traversals (oC-SA-2013-020)
	SECURITY: Multiple XSS vulnerabilities (oC-SA-2013-021)
	SECURITY: Open redirector (oC-SA-2013-022)
	SECURITY: Password autocompletion (oC-SA-2013-023)
	SECURITY: Privilege escalation in the calendar application (oC-SA-2013-024)
	SECURITY: Privilege escalation and CSRF in the API (oC-SA-2013-025)
	SECURITY: Incomplete blacklist vulnerability (oC-SA-2013-026)
	SECURITY: Information disclosure: CSRF token + username (oC-SA-2013-027)
	Fix renaming of shared files
	Fix UUID handling with LDAP
	Fix several undelete files issues
	Fix LDAP cachekey handling
	Several OCS API fixes
	Dropbox mounting fixes
	Remove ldap group name restrictions
	Fix fetching of the userlist with multiple user backends
	Turn off password autocompletion
	Translation fixes of the Shared folder
	Fix the fileactions order for filetypes
	Allow to ship a default theme
	Disallow URLs containing â@â
	Smaller layout improvemens
	Log an upgrade warning
	Log a trash bin cleanup message
	Improved quota calculation
	Allow to set Quota to zero
	Fix performance regression for uploading of big files
	Several Calendar fixes
	Use displaynames in contacts
	Check for existing address books during migrate->import
	Texteditor fixes
	Increase the SQLite database timeout
	Order images in Gallery
>How-To-Repeat:
>Fix:

	Use this patch
--- own.diff begins here ---
--- Makefile.old	2013-05-14 16:13:27.000000000 +0200
+++ Makefile	2013-05-14 16:15:00.000000000 +0200
@@ -1,7 +1,7 @@
-# $FreeBSD: www/owncloud/Makefile 316156 2013-04-20 15:53:03Z kevlo $
+# $FreeBSD: www/owncloud/Makefile 316156 2013-05-14 16:20:08Z nerz $
 
 PORTNAME=	owncloud
-PORTVERSION=	5.0.5
+PORTVERSION=	5.0.6
 CATEGORIES=	www
 MASTER_SITES=	http://download.owncloud.org/community/
 
--- distinfo.old	2013-05-14 16:15:12.000000000 +0200
+++ distinfo	2013-05-14 16:19:22.000000000 +0200
@@ -1,2 +1,2 @@
-SHA256 (owncloud-5.0.5.tar.bz2) = d1538f598f7b06a2d0494a9675a461e4bcd976e7e4ddf372efc1a2ec50007a31
-SIZE (owncloud-5.0.5.tar.bz2) = 13865933
+SHA256 (owncloud-5.0.6.tar.bz2) = 1017a62e64ca820c6bd42a4e1c58a644f487cd7c4d81fda2b7bc82f811a288a3 
+SIZE (owncloud-5.0.6.tar.bz2) = 13864664
--- own.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:
Comment 1 loic.blot 2013-05-14 15:40:00 UTC 
	SECURITY: SQL Injection (oC-SA-2013-019)
	SECURITY: Multiple directory traversals (oC-SA-2013-020)
	SECURITY: Multiple XSS vulnerabilities (oC-SA-2013-021)
	SECURITY: Open redirector (oC-SA-2013-022)
	SECURITY: Password autocompletion (oC-SA-2013-023)
	SECURITY: Privilege escalation in the calendar application (oC-SA-2013-024)
	SECURITY: Privilege escalation and CSRF in the API (oC-SA-2013-025)
	SECURITY: Incomplete blacklist vulnerability (oC-SA-2013-026)
	SECURITY: Information disclosure: CSRF token + username (oC-SA-2013-027)
	Fix renaming of shared files
	Fix UUID handling with LDAP
	Fix several undelete files issues
	Fix LDAP cachekey handling
	Several OCS API fixes
	Dropbox mounting fixes
	Remove ldap group name restrictions
	Fix fetching of the userlist with multiple user backends
	Turn off password autocompletion
	Translation fixes of the Shared folder
	Fix the fileactions order for filetypes
	Allow to ship a default theme
	Disallow URLs containing â@â
	Smaller layout improvemens
	Log an upgrade warning
	Log a trash bin cleanup message
	Improved quota calculation
	Allow to set Quota to zero
	Fix performance regression for uploading of big files
	Several Calendar fixes
	Use displaynames in contacts
	Check for existing address books during migrate->import
	Texteditor fixes
	Increase the SQLite database timeout
	Order images in Gallery

Fix: Use this patch
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2013-05-14 19:53:44 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->kevlo

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 3 Frederic Culot freebsd_committer freebsd_triage 2013-06-11 20:07:29 UTC 
Responsible Changed
From-To: kevlo->culot

I'll take it.
Comment 4 dfilter service freebsd_committer freebsd_triage 2013-06-11 21:27:55 UTC 
Author: culot
Date: Tue Jun 11 20:27:48 2013
New Revision: 320636
URL: http://svnweb.freebsd.org/changeset/ports/320636

Log:
  - Update to 5.0.7
  
  Changes:	http://owncloud.org/changelog/
  
  Security:	oC-SA-2013-[019-028]
  Security:	CVE-2013-[2039-2045,2047-2048,2085-2086,2089,2149-2150]
  
  PR:		ports/178628
  PR:		ports/179494
  Submitted by: 	Loic Blot <loic.blot@unix-experience.fr>
  Approved by:	kevlo@ (maintainer, timeout)

Modified:
  head/www/owncloud/Makefile
  head/www/owncloud/distinfo

Modified: head/www/owncloud/Makefile
==============================================================================
--- head/www/owncloud/Makefile	Tue Jun 11 19:45:36 2013	(r320635)
+++ head/www/owncloud/Makefile	Tue Jun 11 20:27:48 2013	(r320636)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	owncloud
-PORTVERSION=	5.0.5
+PORTVERSION=	5.0.7
 CATEGORIES=	www
 MASTER_SITES=	http://download.owncloud.org/community/
 

Modified: head/www/owncloud/distinfo
==============================================================================
--- head/www/owncloud/distinfo	Tue Jun 11 19:45:36 2013	(r320635)
+++ head/www/owncloud/distinfo	Tue Jun 11 20:27:48 2013	(r320636)
@@ -1,2 +1,2 @@
-SHA256 (owncloud-5.0.5.tar.bz2) = d1538f598f7b06a2d0494a9675a461e4bcd976e7e4ddf372efc1a2ec50007a31
-SIZE (owncloud-5.0.5.tar.bz2) = 13865933
+SHA256 (owncloud-5.0.7.tar.bz2) = 8329a2b8ee7da48111455aca299eacef68bde22c6e6494c3e9c41d4619e5083d
+SIZE (owncloud-5.0.7.tar.bz2) = 14016269
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 5 Frederic Culot freebsd_committer freebsd_triage 2013-06-11 22:06:44 UTC 
State Changed
From-To: open->closed

Committed. Thanks!