Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues

Thomas Tanghus-2

----------  Forwarded Message  ----------

Subject: SabreDAV 1.7.11 and 1.8.9 released, fixing two critical issues
Date: Wednesday 26 February 2014, 14:37
From: Evert Pot <[hidden email]>
To: [hidden email]

Hi everyone,

We just released SabreDAV 1.7.11 and 1.8.9. Both of these releases fix two
critical issues.

Upgrade by running:

composer upgrade sabre/dav

or grab the zips from:

https://github.com/fruux/sabre-dav/releases
This release fixes a security issue and an issue related to large files in
SabreDAV.

*XXE issue*

Previous SabreDAV versions had a security issue, if running on the
following PHP versions

* PHP 5.3, older than 5.3.23
* PHP 5.4, older than 5.4.13
* PHP 5.5 is not affected by this.

You are strongly recommended to upgrade, as the security issue could expose
local files or easily trigger a DOS attack.

More information here:
<http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html>

*Large file support*

It was also discovered that SabreDAV can often not serve files larger than
2GB, due to a bug in PHP's fpassthru method.

If you ran into this issue, update sabredav. We are now no longer using
fpasshtru.

More information here: http://evertpot.com/fpassthru-broken/


--
You received this message because you are subscribed to the Google Groups
"SabreDAV Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at http://groups.google.com/group/sabredav-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
-----------------------------------------
--
Med venlig hilsen,

Thomas Tanghus
_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel