{ "schema_version": "1.7.0", "id": "MGASA-2015-0378", "published": "2015-09-18T15:57:28Z", "modified": "2016-03-07T22:46:41Z", "summary": "Updated owncloud packages fix security vulnerabilities", "details": "Updated owncloud package fixes security vulnerabilities:\n\nIn ownCloud before 8.0.6, due to an incorrect usage of an ownCloud internal\nfile system function the passed path to the file scanner was resolved\nrelatively. An authenticated adversary may thus be able to get a listing of\ndirectories (but not the containing files) existing on the filesystem.\nHowever, it is not possible to access any of these files (CVE-2015-6500).\n\nIn ownCloud before 8.0.6, due to not properly checking the ownership of an\ncalendar, an authenticated attacker is able to download calendars of other\nusers via the \"calid\" GET parameter to export.php in /apps/calendar/\n(CVE-2015-6670).\n\nThe owncloud package has been updated to version 8.0.8, which fixes these\nissues, as well as other bugs and other not-yet-disclosed security issues.\n", "upstream": [ "CVE-2015-6500", "CVE-2015-6670" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0378.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=16771" }, { "type": "ADVISORY", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-014" }, { "type": "ADVISORY", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-015" }, { "type": "WEB", "url": "https://owncloud.org/changelog/" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "owncloud", "purl": "pkg:rpm/mageia/owncloud?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.0.8-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }