|
Message-ID: <20130805213338.GA10738@eldamar.local> Date: Mon, 5 Aug 2013 23:33:38 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com, security@...cloud.com Subject: owncloud 5.0.8 and 4.5.13 (oC-SA-2013-029 and oC-SA-2013-030) - CVE assignments? Hi (not a CVE request per se more to clarify/ask back): Owncloud 4.5.13 and 5.0.8 fixed both bugs marked SECURITY at [1]. [1] http://owncloud.org/releases/Changelog Release "5.0.8" July 9. 2013 - SECURITY: XSS vulnerability in "Share Interface" (oC-SA-2013-029) - SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030) - New anonymous upload feature - Fix syncing of external filesystems - External filesystems performance improvements - Improve compatibility with Oracle - Improved and simplified theming - Internet explorer 8 fixes - Fixes for partial file uploads - LDAP: fix handling of User and Group Bases - Improved and more robust upgrade system - A lot of encryption system fixes - Do not add groups if user has no groups - Several Contacts fixes - A lot of smaller bugfixes all over the place Download: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2 MD5: http://download.owncloud.org/community/owncloud-5.0.8.tar.bz2.md5 ------------------------------- Release "4.5.13" July 9. 2013 - SECURITY: Authentication bypass in "user_webdavauth" (oC-SA-2013-030) - Fixed deleting old files versions Download: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2 MD5: http://download.owncloud.org/community/owncloud-4.5.13.tar.bz2.md5 Looking at [2] there are no reference to oC-SA-2013-029 and oC-SA-2013-030 and CVE assignments for these issues. Where they already requested? (Cc'ing also the security@...cloud.com team, reading from [3] it's not clear if they where already assigned). But the following might be emphasized (from [3]): [11:38:54] <AnybodyElse> Luigi12_work: I'll release them as soon as possible. Sorry. I'm actually *very* busy with my job. [11:40:00] <AnybodyElse> Luigi12_work: that said: the vulnerabilities aren't really severe and only exploitable in some very special and unusuable setups [2] http://owncloud.org/about/security/advisories/ [3] https://bugs.mageia.org/show_bug.cgi?id=10763#c8 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.