From owner-freebsd-ports-bugs@FreeBSD.ORG Tue May 14 14:40:01 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4479372A for ; Tue, 14 May 2013 14:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2D222EF4 for ; Tue, 14 May 2013 14:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4EEe136062088 for ; Tue, 14 May 2013 14:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4EEe1LF062087; Tue, 14 May 2013 14:40:01 GMT (envelope-from gnats) Resent-Date: Tue, 14 May 2013 14:40:01 GMT Resent-Message-Id: <201305141440.r4EEe1LF062087@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Loic Blot Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3BE40706 for ; Tue, 14 May 2013 14:38:13 +0000 (UTC) (envelope-from root@www.unix-experience.fr) Received: from www.unix-experience.fr (unix-experience.fr [88.190.14.11]) by mx1.freebsd.org (Postfix) with ESMTP id 0C5DBEE1 for ; Tue, 14 May 2013 14:38:12 +0000 (UTC) Received: by www.unix-experience.fr (Postfix, from userid 0) id C4F3A5C8D7; Tue, 14 May 2013 16:32:20 +0200 (CEST) Message-Id: <20130514143220.C4F3A5C8D7@www.unix-experience.fr> Date: Tue, 14 May 2013 16:32:20 +0200 (CEST) From: Loic Blot To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/178628: Critical fixes on owncloud (SQL inject, XSS & CSRF) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Loic Blot List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 May 2013 14:40:01 -0000 >Number: 178628 >Category: ports >Synopsis: Critical fixes on owncloud (SQL inject, XSS & CSRF) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue May 14 14:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Loic Blot >Release: FreeBSD 9.1-RELEASE amd64 >Organization: Centre National de la Recherche Scientifique >Environment: System: FreeBSD www.unix-experience.fr 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: SECURITY: SQL Injection (oC-SA-2013-019) SECURITY: Multiple directory traversals (oC-SA-2013-020) SECURITY: Multiple XSS vulnerabilities (oC-SA-2013-021) SECURITY: Open redirector (oC-SA-2013-022) SECURITY: Password autocompletion (oC-SA-2013-023) SECURITY: Privilege escalation in the calendar application (oC-SA-2013-024) SECURITY: Privilege escalation and CSRF in the API (oC-SA-2013-025) SECURITY: Incomplete blacklist vulnerability (oC-SA-2013-026) SECURITY: Information disclosure: CSRF token + username (oC-SA-2013-027) Fix renaming of shared files Fix UUID handling with LDAP Fix several undelete files issues Fix LDAP cachekey handling Several OCS API fixes Dropbox mounting fixes Remove ldap group name restrictions Fix fetching of the userlist with multiple user backends Turn off password autocompletion Translation fixes of the Shared folder Fix the fileactions order for filetypes Allow to ship a default theme Disallow URLs containing “@” Smaller layout improvemens Log an upgrade warning Log a trash bin cleanup message Improved quota calculation Allow to set Quota to zero Fix performance regression for uploading of big files Several Calendar fixes Use displaynames in contacts Check for existing address books during migrate->import Texteditor fixes Increase the SQLite database timeout Order images in Gallery >How-To-Repeat: >Fix: Use this patch --- own.diff begins here --- --- Makefile.old 2013-05-14 16:13:27.000000000 +0200 +++ Makefile 2013-05-14 16:15:00.000000000 +0200 @@ -1,7 +1,7 @@ -# $FreeBSD: www/owncloud/Makefile 316156 2013-04-20 15:53:03Z kevlo $ +# $FreeBSD: www/owncloud/Makefile 316156 2013-05-14 16:20:08Z nerz $ PORTNAME= owncloud -PORTVERSION= 5.0.5 +PORTVERSION= 5.0.6 CATEGORIES= www MASTER_SITES= http://download.owncloud.org/community/ --- distinfo.old 2013-05-14 16:15:12.000000000 +0200 +++ distinfo 2013-05-14 16:19:22.000000000 +0200 @@ -1,2 +1,2 @@ -SHA256 (owncloud-5.0.5.tar.bz2) = d1538f598f7b06a2d0494a9675a461e4bcd976e7e4ddf372efc1a2ec50007a31 -SIZE (owncloud-5.0.5.tar.bz2) = 13865933 +SHA256 (owncloud-5.0.6.tar.bz2) = 1017a62e64ca820c6bd42a4e1c58a644f487cd7c4d81fda2b7bc82f811a288a3 +SIZE (owncloud-5.0.6.tar.bz2) = 13864664 --- own.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: