Fix is in for Security Updates

Wednesday, April 3, 2013 @ 04:04 PM gHale


Security updates should enhance the software it is fixing, not cause more problems. But that is exactly what happened with the developers of the open source ownCloud storage and collaboration software suite.

They had to release version 5.0.3 of their software to fix problems with two earlier security updates. ownCloud version 5.0.1 fixes an SQL injection problem, while version 5.0.2 fixes multiple cross site scripting (XSS) vulnerabilities.

RELATED STORIES
Flaw in BIND Servers
BIND DNS Server Hole
Domain Extension Security Risk
Slow Fix: DNS Flaw 5 Years Later

The first problem ownCloud encountered was they overlooked a restriction of older MySQL version to only allow indexes with a maximum of 767 bytes. This wasn’t noticed by the developers because everybody used newer MySQL versions or different databases, developers said in a blog post. The second problem was a file system cache DB upgrade bug which triggered the wrong upgrade routine for some users. These problems were partly fixed with 5.0.2 and fully fixed with 5.0.3 which released 24 hours after 5.0.1

The ownCloud developers warn users to skip straight to version 5.0.3.

According to the ownCloud forums, this latest version should be safe to upgrade to.

“We are very sorry for the trouble that we might have caused our community users and we are working very hard to prevent this bugs in the future,” the developers said in a blog post. “The good news is that we’ve been working for some time to establish more and more automated integration tests. These tests will be extended to cover upgrade problems like this is the very near future.”

According to the ownCloud forums, this latest version should be safe to upgrade to.

Users who are using version 5.0 or earlier should update to 5.0.3 as soon as possible because of the SQL injection and XSS holes ended up fixed with this update. The community edition of ownCloud 5.0.3 gets its license under the AGPLv3 and can be downloaded free of charge from the ownCloud web site. Its source code is available on GitHub.



Leave a Reply

You must be logged in to post a comment.