ports/178628: Critical fixes on owncloud (SQL inject, XSS & CSRF)

Loic Blot loic.blot at unix-experience.fr
Tue May 14 14:40:01 UTC 2013 

>Number:         178628
>Category:       ports
>Synopsis:       Critical fixes on owncloud (SQL inject, XSS & CSRF)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 14 14:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Loic Blot
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
Centre National de la Recherche Scientifique
>Environment:
System: FreeBSD www.unix-experience.fr 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64


>Description:
	SECURITY: SQL Injection (oC-SA-2013-019)
	SECURITY: Multiple directory traversals (oC-SA-2013-020)
	SECURITY: Multiple XSS vulnerabilities (oC-SA-2013-021)
	SECURITY: Open redirector (oC-SA-2013-022)
	SECURITY: Password autocompletion (oC-SA-2013-023)
	SECURITY: Privilege escalation in the calendar application (oC-SA-2013-024)
	SECURITY: Privilege escalation and CSRF in the API (oC-SA-2013-025)
	SECURITY: Incomplete blacklist vulnerability (oC-SA-2013-026)
	SECURITY: Information disclosure: CSRF token + username (oC-SA-2013-027)
	Fix renaming of shared files
	Fix UUID handling with LDAP
	Fix several undelete files issues
	Fix LDAP cachekey handling
	Several OCS API fixes
	Dropbox mounting fixes
	Remove ldap group name restrictions
	Fix fetching of the userlist with multiple user backends
	Turn off password autocompletion
	Translation fixes of the Shared folder
	Fix the fileactions order for filetypes
	Allow to ship a default theme
	Disallow URLs containing “@”
	Smaller layout improvemens
	Log an upgrade warning
	Log a trash bin cleanup message
	Improved quota calculation
	Allow to set Quota to zero
	Fix performance regression for uploading of big files
	Several Calendar fixes
	Use displaynames in contacts
	Check for existing address books during migrate->import
	Texteditor fixes
	Increase the SQLite database timeout
	Order images in Gallery
>How-To-Repeat:
>Fix:

	Use this patch
--- own.diff begins here ---
--- Makefile.old	2013-05-14 16:13:27.000000000 +0200
+++ Makefile	2013-05-14 16:15:00.000000000 +0200
@@ -1,7 +1,7 @@
-# $FreeBSD: www/owncloud/Makefile 316156 2013-04-20 15:53:03Z kevlo $
+# $FreeBSD: www/owncloud/Makefile 316156 2013-05-14 16:20:08Z nerz $
 
 PORTNAME=	owncloud
-PORTVERSION=	5.0.5
+PORTVERSION=	5.0.6
 CATEGORIES=	www
 MASTER_SITES=	http://download.owncloud.org/community/
 
--- distinfo.old	2013-05-14 16:15:12.000000000 +0200
+++ distinfo	2013-05-14 16:19:22.000000000 +0200
@@ -1,2 +1,2 @@
-SHA256 (owncloud-5.0.5.tar.bz2) = d1538f598f7b06a2d0494a9675a461e4bcd976e7e4ddf372efc1a2ec50007a31
-SIZE (owncloud-5.0.5.tar.bz2) = 13865933
+SHA256 (owncloud-5.0.6.tar.bz2) = 1017a62e64ca820c6bd42a4e1c58a644f487cd7c4d81fda2b7bc82f811a288a3 
+SIZE (owncloud-5.0.6.tar.bz2) = 13864664
--- own.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list