[owncloud-devel] Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Tanghus tanghus at gmail.com
Thu Feb 27 10:17:35 MET 2014


----------  Forwarded Message  ----------

Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
Date: Wednesday 26 February 2014, 14:37
From: Evert Pot <evertpot at gmail.com>
To: sabredav-discuss at googlegroups.com

Hi everyone,

We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two 
critical issues.

Upgrade by running:

composer upgrade sabre/dav

or grab the zips from:

https://github.com/fruux/sabre-dav/releases
This release fixes a security issue and an issue related to large files in 
SabreDAV.

*XXE issue*

Previous SabreDAV versions had a security issue, if running on the 
following PHP versions

* PHP 5.3, older than 5.3.23
* PHP 5.4, older than 5.4.13
* PHP 5.5 is not affected by this.

You are strongly recommended to upgrade, as the security issue could expose 
local files or easily trigger a DOS attack.

More information here: 
<http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>

*Large file support*

It was also discovered that SabreDAV can often not serve files larger than 
2GB, due to a bug in PHP's fpassthru method.

If you ran into this issue, update sabredav. We are now no longer using 
fpasshtru.

More information here: http://evertpot.com/fpassthru-broken/


-- 
You received this message because you are subscribed to the Google Groups 
"SabreDAV Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to sabredav-discuss+unsubscribe at googlegroups.com.
To post to this group, send email to sabredav-discuss at googlegroups.com.
Visit this group at http://groups.google.com/group/sabredav-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
-----------------------------------------
-- 
Med venlig hilsen,

Thomas Tanghus


More information about the Devel mailing list