Bug 1218244 (CVE-2015-3011, CVE-2015-3012, CVE-2015-3013)

Summary: CVE-2015-3011 CVE-2015-3012 CVE-2015-3013 owncloud: various flaws fixed in 7.0.5
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: awilliam, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: owncloud 7.0.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-04 15:02:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218245, 1218246, 1218247    
Bug Blocks:    

Description Martin Prpič 2015-05-04 12:07:27 UTC 
The following flaws were fixed in the 7.0.5 release of ownCloud:

CVE-2015-3013 -- Bypass of file blacklist (oC-SA-2015-004)
https://owncloud.org/security/advisory/?id=oc-sa-2015-004

CVE-2015-3012 -- Multiple stored XSS in "documents" application (oC-SA-2015-002)
https://owncloud.org/security/advisory/?id=oc-sa-2015-002

CVE-2015-3011 -- Multiple stored XSS in "contacts" application (oC-SA-2015-001)
https://owncloud.org/security/advisory/?id=oc-sa-2015-001

Additional information:

https://www.debian.org/security/2015/dsa-3244
Comment 1 Martin Prpič 2015-05-04 12:08:13 UTC 
Created owncloud tracking bugs for this issue:

Affects: fedora-all [bug 1218245]
Affects: epel-6 [bug 1218246]
Affects: epel-7 [bug 1218247]
Comment 2 DO NOT USE account not monitored (old adamwill) 2015-05-04 15:02:37 UTC 
7.0.5 is already out for all releases prior to 22 as a stable update. 22 and Rawhide are on the 8.x series.