[owncloud-devel] Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Tanghus thomas at tanghus.net
Sat Mar 1 00:37:42 MET 2014


On Friday 28 February 2014 16:58 Thomas Müller wrote:
> Pull requests are open:
> https://github.com/owncloud/3rdparty/pull/77
> https://github.com/owncloud/core/pull/7480
> 
> Take care,

Awesome. Have visitors so didn't have time for more than forwarding the 
message :)

> Tom
> 
> Am Freitag, den 28.02.2014 um 16:38 schrieb Thomas Müller:
> > Thanks for the notification!
> > 
> > The XXE issue is already patch in our codebase which will be released with
> > 6.0.2 and 5.0.15. The fpassthru issue is only relevant for osx on server
> > side - right?
> > 
> > Take care,
> > 
> > Tom
> > 
> > Am Freitag, den 28.02.2014 um 16:15 schrieb Thomas Tanghus:
> > > ----------  Forwarded Message  ----------
> > > 
> > > Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
> > > Date: Wednesday 26 February 2014, 14:37
> > > From: Evert Pot <evertpot at gmail.com>
> > > To: sabredav-discuss at googlegroups.com
> > > 
> > > Hi everyone,
> > > 
> > > We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix
> > > two
> > > critical issues.
> > > 
> > > Upgrade by running:
> > > 
> > > composer upgrade sabre/dav
> > > 
> > > or grab the zips from:
> > > 
> > > https://github.com/fruux/sabre-dav/releases
> > > This release fixes a security issue and an issue related to large files
> > > in
> > > SabreDAV.
> > > 
> > > *XXE issue*
> > > 
> > > Previous SabreDAV versions had a security issue, if running on the
> > > following PHP versions
> > > 
> > > * PHP 5.3, older than 5.3.23
> > > * PHP 5.4, older than 5.4.13
> > > * PHP 5.5 is not affected by this.
> > > 
> > > You are strongly recommended to upgrade, as the security issue could
> > > expose
> > > local files or easily trigger a DOS attack.
> > > 
> > > More information here:
> > > <http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>
> > > 
> > > *Large file support*
> > > 
> > > It was also discovered that SabreDAV can often not serve files larger
> > > than
> > > 2GB, due to a bug in PHP's fpassthru method.
> > > 
> > > If you ran into this issue, update sabredav. We are now no longer using
> > > fpasshtru.
> > > 
> > > More information here: http://evertpot.com/fpassthru-broken/
> > 
> > _______________________________________________
> > Devel mailing list
> > Devel at owncloud.org
> > http://mailman.owncloud.org/mailman/listinfo/devel
> 
> _______________________________________________
> Devel mailing list
> Devel at owncloud.org
> http://mailman.owncloud.org/mailman/listinfo/devel

-- 
Med venlig hilsen / Best Regards

Thomas Tanghus


More information about the Devel mailing list