Main Area and Open Discussion > Non-Windows Software

ALERT - do NOT install or use ownCloud server from Ubuntu repositories

(1/1)

40hz:
If you're an Ubuntu user running an ownCloud server - and you installed it from a Ubuntu maintained repository - see below for some important security info courtesy of the Web Upd8 blog:

ownCloud Ubuntu Package Affected By Multiple Critical Security Issues, Nobody To Fix It

Author: Andrew | Date: Friday, October 24, 2014


ownCloud developer Lukas Reschke has sent an email to the Ubuntu Devel mailing list, requesting that ownCloud (server) is removed from the Ubuntu repositories because the package is old and there are multiple critical security bugs for which no fixes have been backported. He adds that:


   "Those security bugs allows an unauthenticated attacker to gain complete control about the web server process".


However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2).

Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical.

You can follow the discussion @ Ubuntu Devel mailing list.

So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service <more>
--- End quote ---

 :tellme:

Navigation

[0] Message Index