Fedora 19 : owncloud-5.0.17-2.fc19 / php-sabredav-Sabre_CalDAV-1.7.9-1.fc19 / etc (2014-14066)

medium Nessus Plugin ID 79391
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Fedora host is missing one or more security updates.

Description

This update provides ownCloud 5.0.17, the latest release in the 5.x series, plus an extra security-related fix backported from the stable5 branch.

It also provides SabreDAV 1.7.13. This is also a major upgrade from SabreDAV 1.6, and has API incompatibilities. ownCloud is the only Fedora 19 package that requires SabreDAV, and ownCloud 5 cannot work with SabreDAV 1.6: the API-incompatible upgrade is unfortunate but necessary to provide a secure ownCloud release.

ownCloud 4.5, the current version in Fedora 19, is un-maintained, subject to known security issues, and has no upgrade path beyond ownCloud 5. Upgrading directly from 4.5 to the current version in Fedora 20 or 21 - ownCloud 7 - would likely fail.

I plan to update the package to 6.x before Fedora 19 goes EOL and maintain the 5.x and 6.x builds in a side repository to make sure there is a viable upgrade path from Fedora 19.

Initial testing on the 4.x -> 5.x upgrade has been performed, but please back up your user data, ownCloud configuration and ownCloud database before performing the upgrade. Please file negative karma and a bug report for any issues encountered during the upgrade. Ideally, the upgrade should run smoothly on first access to the updated ownCloud instance with no manual intervention required.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1035593

http://www.nessus.org/u?0f1a8163

http://www.nessus.org/u?0e0e4b73

http://www.nessus.org/u?87ba4cd8

http://www.nessus.org/u?f34faccd

http://www.nessus.org/u?438d8ca8

http://www.nessus.org/u?d33d8d07

http://www.nessus.org/u?60dd41d5

Plugin Details

Severity: Medium

ID: 79391

File Name: fedora_2014-14066.nasl

Version: 1.6

Type: local

Agent: unix

Published: 11/24/2014

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:owncloud, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_CalDAV, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_CardDAV, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_DAV, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_DAVACL, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_HTTP, p-cpe:/a:fedoraproject:fedora:php-sabredav-Sabre_VObject, cpe:/o:fedoraproject:fedora:19

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/1/2014

Reference Information

CVE: CVE-2013-6403

BID: 63926

FEDORA: 2014-14066