Ubuntu
owncloud package

quantal security update

Bug #1084109 reported by Jonathan Riddell on 2012-11-28

256

This bug affects 1 person

	Status	Importance	Assigned to
owncloud (Ubuntu)	Fix Released	Undecided	Unassigned
Quantal	Fix Released	Undecided	Jamie Strandboge
Raring	Fix Released	Undecided	Unassigned

Bug Description

Security vulnerabilities in quantal need several fixes to the 4.0.7 owncloud package.

Easiest way is to merge with Debian which has 4.0.8+patches (making it equivalent to 4.0.9)

Tags:

Related branches

lp:ubuntu/quantal-security/owncloud

Revision history for this message

Jonathan Riddell (jr) wrote on 2012-11-28:

Updated package uploaded to quantal-security awaiting approval

Revision history for this message

Jonathan Riddell (jr) wrote on 2012-11-28:

debdiff for quantal Edit (50.3 KiB, text/plain)

Revision history for this message

Jonathan Riddell (jr) wrote on 2012-11-28:

New package:

http://starsky.19inch.net/~jr/tmp/owncloud_4.0.8ubuntu-1.1ubuntu1.debian.tar.gz
http://starsky.19inch.net/~jr/tmp/owncloud_4.0.8ubuntu.orig.tar.bz2

tags:	added: kubuntu
Changed in owncloud (Ubuntu Quantal):
status:	New → Confirmed

Revision history for this message

Jonathan Riddell (jr) wrote on 2012-11-28:

Package successfully runs and works

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-28:

What is the status of owncloud in raring?

Changed in owncloud (Ubuntu Quantal):
status:	Confirmed → Triaged
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

I see raring is at 4.0.9debian-0ubuntu1 now.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

The tarball in comment #3 doesn't seem to match Debian or upstream 4.0.8. I think the way to go is to do the original suggestion and use the merge with Debian. I will be examining the suggested debdiff now.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

The debdiff for 4.0.7debian-1ubuntu1 to 4.0.8debian-1.1ubuntu1 that was originally submitted does not account for the changes between 4.0.7 and 4.0.8 for apps/files_odfviewer, so this debdiff should not be used (ie, it doesn't represent the actual change from quantal to what we want in quantal-security.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

owncloud_4.0.8debian-1.1ubuntu0.1.debdiff Edit (3.0 KiB, text/plain)

In addition to the missing changes in the previous debdiff, it:
* should use quantal-security, not quantal-proposed
* did not use the correct version (should use 4.0.8debian-1.1ubuntu0.1)
* the changelog format was not in the recommended form as detailed in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

I've reviewed the changes between 4.0.7 and 4.0.8 and they look reasonable. I then created a merge with Debian unstable for quantal (debdiff between unstable and quantal-security attached).

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

#10

Uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages. Jonathan, can you test the package and give feedback?

Thanks!

Changed in owncloud (Ubuntu Quantal):
status:	Triaged → Fix Committed
Changed in owncloud (Ubuntu Raring):
status:	New → Fix Released

Jamie Strandboge (jdstrand) on 2012-11-30

tags:	added: verification-needed
information type:	Public → Public Security

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-30:

#11

Per Riddell on IRC:
09:16 < Riddell> jdstrand: yep works with the new package (http://ec2-54-234-63-47.compute-1.amazonaws.com/owncloud/foo/bar )

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-30:

#12

This bug was fixed in the package owncloud - 4.0.8debian-1.1ubuntu0.1

---------------
owncloud (4.0.8debian-1.1ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Merge with Debian for new upstream release and security
    fixes. Remaining change:
    - Recommends rather than Suggests mysql-server
    - LP: #1084109

owncloud (4.0.8debian-1.1) unstable; urgency=high

  * Non-maintainer upload, fixes several security issues (Closes: #693990).
  * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
  * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
  * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
  * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
    filesystem.php.

owncloud (4.0.8debian-1) unstable; urgency=low

  * New upstream bugfix release
  * debian/patches:
    - Adjust 05_no_app_store.diff
-- Jamie Strandboge <email address hidden> Fri, 30 Nov 2012 07:39:09 -0600

Changed in owncloud (Ubuntu Quantal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuowncloud package

quantal security update

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

Ubuntu
owncloud package