Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Tanghus

----------  Forwarded Message  ----------

Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
Date: Wednesday 26 February 2014, 14:37
From: Evert Pot <[hidden email]>
To: [hidden email]

Hi everyone,

We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two
critical issues.

Upgrade by running:

composer upgrade sabre/dav

or grab the zips from:

https://github.com/fruux/sabre-dav/releases
This release fixes a security issue and an issue related to large files in
SabreDAV.

*XXE issue*

Previous SabreDAV versions had a security issue, if running on the
following PHP versions

* PHP 5.3, older than 5.3.23
* PHP 5.4, older than 5.4.13
* PHP 5.5 is not affected by this.

You are strongly recommended to upgrade, as the security issue could expose
local files or easily trigger a DOS attack.

More information here:
<http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>

*Large file support*

It was also discovered that SabreDAV can often not serve files larger than
2GB, due to a bug in PHP's fpassthru method.

If you ran into this issue, update sabredav. We are now no longer using
fpasshtru.

More information here: http://evertpot.com/fpassthru-broken/


--
You received this message because you are subscribed to the Google Groups
"SabreDAV Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at http://groups.google.com/group/sabredav-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
-----------------------------------------
--
Med venlig hilsen / Best Regards

Thomas Tanghus
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Müller
Thanks for the notification!

The XXE issue is already patch in our codebase which will be released with 6.0.2 and 5.0.15.
The fpassthru issue is only relevant for osx on server side - right?

Take care,

Tom


Am Freitag, den 28.02.2014 um 16:15 schrieb Thomas Tanghus:

>
> ----------  Forwarded Message  ----------
>
> Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
> Date: Wednesday 26 February 2014, 14:37
> From: Evert Pot <[hidden email]>
> To: [hidden email]
>
> Hi everyone,
>
> We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two
> critical issues.
>
> Upgrade by running:
>
> composer upgrade sabre/dav
>
> or grab the zips from:
>
> https://github.com/fruux/sabre-dav/releases
> This release fixes a security issue and an issue related to large files in
> SabreDAV.
>
> *XXE issue*
>
> Previous SabreDAV versions had a security issue, if running on the
> following PHP versions
>
> * PHP 5.3, older than 5.3.23
> * PHP 5.4, older than 5.4.13
> * PHP 5.5 is not affected by this.
>
> You are strongly recommended to upgrade, as the security issue could expose
> local files or easily trigger a DOS attack.
>
> More information here:
> <http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>
>
> *Large file support*
>
> It was also discovered that SabreDAV can often not serve files larger than
> 2GB, due to a bug in PHP's fpassthru method.
>
> If you ran into this issue, update sabredav. We are now no longer using
> fpasshtru.
>
> More information here: http://evertpot.com/fpassthru-broken/
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "SabreDAV Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [hidden email].
> To post to this group, send email to [hidden email].
> Visit this group at http://groups.google.com/group/sabredav-discuss.
> For more options, visit https://groups.google.com/groups/opt_out.
> -----------------------------------------
> --
> Med venlig hilsen / Best Regards
>
> Thomas Tanghus
> _______________________________________________
> Devel mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/devel
>
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Müller

Pull requests are open:
https://github.com/owncloud/3rdparty/pull/77
https://github.com/owncloud/core/pull/7480

Take care,

Tom

Am Freitag, den 28.02.2014 um 16:38 schrieb Thomas Müller:

> Thanks for the notification!
>
> The XXE issue is already patch in our codebase which will be released with 6.0.2 and 5.0.15.
> The fpassthru issue is only relevant for osx on server side - right?
>
> Take care,
>
> Tom
>
>
> Am Freitag, den 28.02.2014 um 16:15 schrieb Thomas Tanghus:
> >
> > ----------  Forwarded Message  ----------
> >
> > Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
> > Date: Wednesday 26 February 2014, 14:37
> > From: Evert Pot <[hidden email]>
> > To: [hidden email]
> >
> > Hi everyone,
> >
> > We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two
> > critical issues.
> >
> > Upgrade by running:
> >
> > composer upgrade sabre/dav
> >
> > or grab the zips from:
> >
> > https://github.com/fruux/sabre-dav/releases
> > This release fixes a security issue and an issue related to large files in
> > SabreDAV.
> >
> > *XXE issue*
> >
> > Previous SabreDAV versions had a security issue, if running on the
> > following PHP versions
> >
> > * PHP 5.3, older than 5.3.23
> > * PHP 5.4, older than 5.4.13
> > * PHP 5.5 is not affected by this.
> >
> > You are strongly recommended to upgrade, as the security issue could expose
> > local files or easily trigger a DOS attack.
> >
> > More information here:
> > <http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>
> >
> > *Large file support*
> >
> > It was also discovered that SabreDAV can often not serve files larger than
> > 2GB, due to a bug in PHP's fpassthru method.
> >
> > If you ran into this issue, update sabredav. We are now no longer using
> > fpasshtru.
> >
> > More information here: http://evertpot.com/fpassthru-broken/
> >
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "SabreDAV Discussion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [hidden email].
> > To post to this group, send email to [hidden email].
> > Visit this group at http://groups.google.com/group/sabredav-discuss.
> > For more options, visit https://groups.google.com/groups/opt_out.
> > -----------------------------------------
> > --
> > Med venlig hilsen / Best Regards
> >
> > Thomas Tanghus
> > _______________________________________________
> > Devel mailing list
> > [hidden email]
> > http://mailman.owncloud.org/mailman/listinfo/devel
> >
> _______________________________________________
> Devel mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/devel
>
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Chris-3
In reply to this post by Thomas Müller
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Müller

Am Freitag, den 28.02.2014 um 17:03 schrieb Chris:

> Hi,
>
> > The fpassthru issue is only relevant for osx on server side - right?
>
> quoting the bugreport at php [1]
>
> > Tested with OS X, but also getting reports from users of other operating
> > systems.
>
> [1] https://bugs.php.net/bug.php?id=66736
>

Thanks for the clarification!
 

>
>
> --
> View this message in context: http://owncloud.10557.n7.nabble.com/Fwd-SabreDAV-1-7-11-and-1-8-9-released-fixing-two-critical-issues-tp12065p12068.html
> Sent from the Developers mailing list archive at Nabble.com.
> _______________________________________________
> Devel mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/devel
>
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Tanghus
In reply to this post by Thomas Müller
On Friday 28 February 2014 16:58 Thomas Müller wrote:
> Pull requests are open:
> https://github.com/owncloud/3rdparty/pull/77
> https://github.com/owncloud/core/pull/7480
>
> Take care,

Awesome. Have visitors so didn't have time for more than forwarding the
message :)

> Tom
>
> Am Freitag, den 28.02.2014 um 16:38 schrieb Thomas Müller:
> > Thanks for the notification!
> >
> > The XXE issue is already patch in our codebase which will be released with
> > 6.0.2 and 5.0.15. The fpassthru issue is only relevant for osx on server
> > side - right?
> >
> > Take care,
> >
> > Tom
> >
> > Am Freitag, den 28.02.2014 um 16:15 schrieb Thomas Tanghus:
> > > ----------  Forwarded Message  ----------
> > >
> > > Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
> > > Date: Wednesday 26 February 2014, 14:37
> > > From: Evert Pot <[hidden email]>
> > > To: [hidden email]
> > >
> > > Hi everyone,
> > >
> > > We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix
> > > two
> > > critical issues.
> > >
> > > Upgrade by running:
> > >
> > > composer upgrade sabre/dav
> > >
> > > or grab the zips from:
> > >
> > > https://github.com/fruux/sabre-dav/releases
> > > This release fixes a security issue and an issue related to large files
> > > in
> > > SabreDAV.
> > >
> > > *XXE issue*
> > >
> > > Previous SabreDAV versions had a security issue, if running on the
> > > following PHP versions
> > >
> > > * PHP 5.3, older than 5.3.23
> > > * PHP 5.4, older than 5.4.13
> > > * PHP 5.5 is not affected by this.
> > >
> > > You are strongly recommended to upgrade, as the security issue could
> > > expose
> > > local files or easily trigger a DOS attack.
> > >
> > > More information here:
> > > <http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>
> > >
> > > *Large file support*
> > >
> > > It was also discovered that SabreDAV can often not serve files larger
> > > than
> > > 2GB, due to a bug in PHP's fpassthru method.
> > >
> > > If you ran into this issue, update sabredav. We are now no longer using
> > > fpasshtru.
> > >
> > > More information here: http://evertpot.com/fpassthru-broken/
> >
> > _______________________________________________
> > Devel mailing list
> > [hidden email]
> > http://mailman.owncloud.org/mailman/listinfo/devel
>
> _______________________________________________
> Devel mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/devel

--
Med venlig hilsen / Best Regards

Thomas Tanghus
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel