[owncloud-devel] Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Müller thomas.mueller at tmit.eu
Fri Feb 28 16:38:26 MET 2014


Thanks for the notification!

The XXE issue is already patch in our codebase which will be released with 6.0.2 and 5.0.15.
The fpassthru issue is only relevant for osx on server side - right?

Take care,

Tom


Am Freitag, den 28.02.2014 um 16:15 schrieb Thomas Tanghus:
> 
> ----------  Forwarded Message  ----------
> 
> Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
> Date: Wednesday 26 February 2014, 14:37
> From: Evert Pot <evertpot at gmail.com>
> To: sabredav-discuss at googlegroups.com
> 
> Hi everyone,
> 
> We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two 
> critical issues.
> 
> Upgrade by running:
> 
> composer upgrade sabre/dav
> 
> or grab the zips from:
> 
> https://github.com/fruux/sabre-dav/releases
> This release fixes a security issue and an issue related to large files in 
> SabreDAV.
> 
> *XXE issue*
> 
> Previous SabreDAV versions had a security issue, if running on the 
> following PHP versions
> 
> * PHP 5.3, older than 5.3.23
> * PHP 5.4, older than 5.4.13
> * PHP 5.5 is not affected by this.
> 
> You are strongly recommended to upgrade, as the security issue could expose 
> local files or easily trigger a DOS attack.
> 
> More information here: 
> <http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>
> 
> *Large file support*
> 
> It was also discovered that SabreDAV can often not serve files larger than 
> 2GB, due to a bug in PHP's fpassthru method.
> 
> If you ran into this issue, update sabredav. We are now no longer using 
> fpasshtru.
> 
> More information here: http://evertpot.com/fpassthru-broken/
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "SabreDAV Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to sabredav-discuss+unsubscribe at googlegroups.com.
> To post to this group, send email to sabredav-discuss at googlegroups.com.
> Visit this group at http://groups.google.com/group/sabredav-discuss.
> For more options, visit https://groups.google.com/groups/opt_out.
> -----------------------------------------
> -- 
> Med venlig hilsen / Best Regards
> 
> Thomas Tanghus
> _______________________________________________
> Devel mailing list
> Devel at owncloud.org
> http://mailman.owncloud.org/mailman/listinfo/devel
> 


More information about the Devel mailing list