Bug #1004379 “Please update to 3.0.3 to fix security vulnerabili...” : Bugs : owncloud package : Ubuntu

Jonathan Kolberg (bulldog98) on 2012-05-25

Changed in owncloud (Ubuntu):
assignee:	nobody → Jonathan Kolberg (bulldog98)

Revision history for this message

Jonathan Kolberg (bulldog98) wrote on 2012-05-25:

#1

I already have an updated package (at http://people.ubuntu.com/~bulldog98/packaging/owncloud/)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-05-25:

#2

Thank you for using Ubuntu and filing a bug.

Thank you for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I see that you have attached a link to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in owncloud (Ubuntu):
status:	New → Incomplete

Aditya V (kroq-gar78) on 2012-05-27

tags:

added: upgrade-software-version

Revision history for this message

papukaija (papukaija) wrote on 2012-06-05:

#3

The tag "upgrade-software-version " is not appropiate for security issues.

summary:	- Owncloud should be updated to at least 3.0.3 + Please update to 3.0.3 to fix security vulnerabilities
tags:	removed: upgrade-software-version

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2012-06-06:

#4

Download full text (6.8 KiB)

This bug was fixed in the package owncloud - 4.0.1debian-2

---------------
owncloud (4.0.1debian-2) unstable; urgency=low

  * Upload to fix PostgreSQL-related install issues.
  * debian/control:
    - Removed the postgresql-client-8.1 install alternative, just depend on
      postgresql-client.
    - Changed the postgresql-client suggest into postgresql (i.e. the server).

-- Paul van Tilburg <email address hidden> Tue, 05 Jun 2012 21:33:20 +0200

owncloud (4.0.1debian-1) unstable; urgency=low

  * New upstream bugfix release.
  * debian/control: replaced suggest on postgresql-server by
    postgresql-client for the owncloud-pgsql package.
  * debian/owncloud-pgsql.README.Debian: updated to not mention admin
    credentials, users won't get them during the postgres install process.
  * debian/patches:
    - Dropped 04_fix_odfviewer.diff and
      06_add_head_support_for_download.diff; applied by upstream.
    - Updated 05_no_app_store.diff to only check whether the /apps dir is
      writable when the appstore is enabled.
  * debian/rules:
    - Don't install l10n/init.sh.
    - Make sure that /etc/owncloud/htaccess is owned by www-data, as
      ownCloud may update it (for now).

-- Paul van Tilburg <email address hidden> Tue, 05 Jun 2012 00:44:46 +0200

owncloud (4.0.0debian-3) unstable; urgency=low

* Upload to unstable.

-- Paul van Tilburg <email address hidden> Sun, 03 Jun 2012 17:38:46 +0200

owncloud (4.0.0debian-2) experimental; urgency=low

  [ Paul van Tilburg ]
  * debian/control:
    - Set the team as maintainer.
    - Added a depend on php5-curl; this is needed by the bookmarks app,
      which is an internal app.
  * debian/owncloud.links: added some missing links to vital application
    data from /var/lib/owncloud.

  [ Thomas Mueller ]
  * debian/patches:
    - 06_add_head_support_for_download.diff added to fix the ODF viewer.

-- Paul van Tilburg <email address hidden> Sat, 26 May 2012 23:53:18 +0200

owncloud (4.0.0debian-1) experimental; urgency=low

  [ Thomas Mueller ]
  * New upstream release 4.0.0.
  * debian/postrm: remove /etc/owncloud/config.php.
  * debian/rules: remove fullcalendar.min.js & jquery.Jcrop.min.js; they
    are not used.
  * debian/patches:
    - 04_fix_odfviewer.diff added
    - 05_no_app_store.diff added

  [ Paul van Tilburg ]
  * debian/control:
    - Added owncloud-{mysql,pgsql,sqlite} dependency packages.
    - Added a depend on libphp-phpmailer.
    - Added a depend on php-getid3 (>= 1.9.3-1).
    - Bumped the libjs-jquery depend to >= 1.7.2-1.
    - Dropped the depends on dbconfig-common, debconf, and ucf; not used yet.
    - Added a recommend for exim4 | mail-transport-agent.
  * debian/copyright, debian/rules: updated for new upstream release.
  * debian/owncloud.lintian-overrides: added an override for the backup
    directory permissions.
  * debian/owncloud.postinst: updated to enable Apache's rewrite module.
  * debian/patches:
    - Refreshed patches 01_fix_data_path.diff and 02_fix_crypt.diff for new
      upstream.
    - Dropped patches 03_fix_pear_mdb2_missmatch.diff,
      04_adding_jquery_infieldlabel_js.diff,
      05_adding_jquery_fancyboxbox.diff,
      06_adding_jquery.mousew...

This bug was fixed in the package owncloud - 4.0.1debian-2

---------------
owncloud (4.0.1debian-2) unstable; urgency=low

* Upload to fix PostgreSQL-related install issues.
  * debian/control:
    - Removed the postgresql-client-8.1 install alternative, just depend on
      postgresql-client.
    - Changed the postgresql-client suggest into postgresql (i.e. the server).

-- Paul van Tilburg <paulvt@debian.org>  Tue, 05 Jun 2012 21:33:20 +0200

owncloud (4.0.1debian-1) unstable; urgency=low

* New upstream bugfix release.
  * debian/control: replaced suggest on postgresql-server by
    postgresql-client for the owncloud-pgsql package.
  * debian/owncloud-pgsql.README.Debian: updated to not mention admin
    credentials, users won't get them during the postgres install process.
  * debian/patches: 
    - Dropped 04_fix_odfviewer.diff and
      06_add_head_support_for_download.diff; applied by upstream.
    - Updated 05_no_app_store.diff to only check whether the /apps dir is
      writable when the appstore is enabled.
  * debian/rules:
    - Don't install l10n/init.sh.
    - Make sure that /etc/owncloud/htaccess is owned by www-data, as
      ownCloud may update it (for now).

-- Paul van Tilburg <paulvt@debian.org>  Tue, 05 Jun 2012 00:44:46 +0200

owncloud (4.0.0debian-3) unstable; urgency=low

* Upload to unstable.

-- Paul van Tilburg <paulvt@debian.org>  Sun, 03 Jun 2012 17:38:46 +0200

owncloud (4.0.0debian-2) experimental; urgency=low

[ Paul van Tilburg ]
  * debian/control:
    - Set the team as maintainer.
    - Added a depend on php5-curl; this is needed by the bookmarks app,
      which is an internal app.
  * debian/owncloud.links: added some missing links to vital application
    data from /var/lib/owncloud.

[ Thomas Mueller ]
  * debian/patches:
    - 06_add_head_support_for_download.diff added to fix the ODF viewer.

-- Paul van Tilburg <paulvt@debian.org>  Sat, 26 May 2012 23:53:18 +0200

owncloud (4.0.0debian-1) experimental; urgency=low

[ Thomas Mueller ]
  * New upstream release 4.0.0.
  * debian/postrm: remove /etc/owncloud/config.php.
  * debian/rules: remove fullcalendar.min.js & jquery.Jcrop.min.js; they
    are not used.
  * debian/patches:
    - 04_fix_odfviewer.diff added
    - 05_no_app_store.diff added

[ Paul van Tilburg ]
  * debian/control:
    - Added owncloud-{mysql,pgsql,sqlite} dependency packages.
    - Added a depend on libphp-phpmailer.
    - Added a depend on php-getid3 (>= 1.9.3-1).
    - Bumped the libjs-jquery depend to >= 1.7.2-1.
    - Dropped the depends on dbconfig-common, debconf, and ucf; not used yet.
    - Added a recommend for exim4 | mail-transport-agent.
  * debian/copyright, debian/rules: updated for new upstream release.
  * debian/owncloud.lintian-overrides: added an override for the backup
    directory permissions.
  * debian/owncloud.postinst: updated to enable Apache's rewrite module.
  * debian/patches:
    - Refreshed patches 01_fix_data_path.diff and 02_fix_crypt.diff for new
      upstream.
    - Dropped patches 03_fix_pear_mdb2_missmatch.diff,
      04_adding_jquery_infieldlabel_js.diff,
      05_adding_jquery_fancyboxbox.diff,
      06_adding_jquery.mousewheel.diff as this is handled upstream now.
    - Added 03_fix_phpmailer.diff to fix the phpmailer require.
  * debian/rules: no longer leave phpmailer and getid3 installed.
  * debian/*.README.Debian: added to explain the database setup and virtual
    host stuff.
  * debian/README.source: added to explain the state of the source and how
    it is processed when installing.
  * debian/config/apache/htaccess: update from upstream .htaccess and rebase
    paths under /owncloud.
  * debian/repack.sh: added to remove unused, sourceless minified
    JavaScript files in 3rdparty/timepicker/css/include.
  * debian/watch: updated to apply repacking.

-- Paul van Tilburg <paulvt@debian.org>  Thu, 24 May 2012 23:31:51 +0200

owncloud (3.0.3-1) unstable; urgency=low

[ Thomas Mueller ]
  * debian/watch:
    - URL fixed: as agreed with upstream
  * New upstream release.

[ Paul van Tilburg ]
  * debian/TODO: moved TODO items to this file.
  * debian/control: add a depend on libjs-jquery-jplayer.
  * debian/copyright:
    - Fixed syntax errors.
    - Added more paragraphs for some upstream files.
  * debian/links:
    - Added links for the files in libjs-jquery-jplayer.
  * debian/owncloud.lintian-overrides: ensure that only non-standard
    permissions warnings are overridden for the specific data dir.
  * debian/rules:
    - Made /var/lib/owncloud/data setgid so that the special permissions
      are preserved
    - Fixed an issue that made all directories under
      /usr/share/owncloud/apps not accessible.
    - Remove license files from /usr/share/owncloud/apps/media.

-- Paul van Tilburg <paulvt@debian.org>  Thu, 03 May 2012 12:21:29 +0200

owncloud (3.0.2-1) unstable; urgency=low

[ Paul van Tilburg ]
  * New upstream release.
  * debian/control:
    - Bumped the standards version to 3.9.3.
    - Added myself as an uploader.
    - Updated the homepage URL.
    - Removed the remark about being part of the KDE family since it is
      mainly a web application.
    - Added a depend on dbconfig-common, debconf, and ucf.
    - Modified the depend on apache2 to apache2 | httpd.
    - Added a depend on php-mdb2, php-mdb2-schema, php-mdb2-driver-mysql,
      and php-sabredav.
    - Changed the recommend on mysql-server | php5-sqlite into a depend on
      mysql-client | virtual-mysql-client and an additional suggest on
      mysql-server as we are only going to support mysql for now.
    - Added Vcs-* fields as the package is now maintained in git.
  * debian/copyright:
    - Bumped standard to official Debian Copyright Format 1.0.
    - Updated for upstream changes and added (a lot of) missing paragraphs.
  * debian/owncloud.dirs: no longer create the config directory as it will
     be linked to /etc/owncloud.
  * debian/owncloud.install: install the configuration example to
    /etc/owncloud.
  * debian/owncloud.links: make /var/lib/owncloud/config a link to
    /etc/owncloud and also handle the JavaScript file linking.
  * debian/patches:
    - Refreshed for new upstream.
    - Dropped 04_adding_jquery_infieldlabel_js.diff:  file included in
      upstream now.
  * debian/rules:
    - Updated for new upstream (new and removed files).
    - Cleaned up and reordered a bit.
    - Moved some stuff to owncloud.install and owncloud.links (see above).
    - Moved permission stuff to the override_dh_fixperms section.
    - Removed MDB2 and Sabre from the 3rd party install tree.
  * debian/source/local-options: set the "unapply-patches" option.

[ Thomas Mueller ]
  * debian/watch:
    - URL fixed: as agreed with upstream
  * debian/postinst: remove download of jplayer.swf
  * debian/rules:
    - remove media app due to issues with jplayer.swf

-- Paul van Tilburg <paulvt@debian.org>  Tue, 01 May 2012 15:41:19 +0200

Changed in owncloud (Ubuntu):
status:	Incomplete → Fix Released
Changed in owncloud (Ubuntu Precise):
status:	New → Incomplete
assignee:	nobody → Jonathan Kolberg (bulldog98)
Changed in owncloud (Ubuntu):
assignee:	Jonathan Kolberg (bulldog98) → nobody

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-05-22:

#5

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in owncloud (Ubuntu):
status:	Fix Released → Invalid
Changed in owncloud (Ubuntu Precise):
status:	Incomplete → Invalid

Affects		Status	Importance	Assigned to	Milestone
	owncloud (Ubuntu)	Invalid	Undecided	Unassigned
	Precise	Invalid	Undecided	Jonathan Kolberg

Ubuntu
owncloud package

Please update to 3.0.3 to fix security vulnerabilities

Bug Description

Other bug subscribers

Remote bug watches

Ubuntuowncloud package

Please update to 3.0.3 to fix security vulnerabilities

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
owncloud package