Your message dated Mon, 18 Nov 2013 23:34:00 +0000
with message-id <[email protected]>
and subject line Bug#729762: fixed in owncloud 5.0.13+dfsg-2
has caused the Debian Bug report #729762,
regarding owncloud data directory not protected due to bad htaccess
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
729762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729762
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: owncloud
Version: 5.0.13+dfsg-1
Severity: important
The default installation for owncloud makes the data directory insecure.
The problem is the htaccess file in /var/lin/owncloud/data is for the
"old style" authorization.
The owncloud admin screen nags you with this:
"Your data directory and your files are probably accessible from the
internet. The .htaccess file that ownCloud provides is not working. We
strongly suggest that you configure your webserver in a way that the
data directory is no longer accessible or you move the data directory
outside the webserver document root."
The file contents should be:
Require all denied
IndexIgnore *
Or even better, the version aware variety of this that is found in
/etc/owncloud/htaccess
I raised the level of Severity because it provides remote access to
files users might think are protected, depending on how your other
settings are setup.
- Craig
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages owncloud depends on:
ii apache2 2.4.6-3
ii apache2-bin [httpd] 2.4.6-3
ii fonts-font-awesome 4.0.0~dfsg-1
ii libjs-chosen 0.9.11-1
ii libjs-jquery 1.7.2+dfsg-3
ii libjs-jquery-fancybox 8-2
ii libjs-jquery-jplayer 2.3.4+dfsg-1
ii libjs-jquery-minicolors 1.2.1-1
ii libjs-jquery-mousewheel 8-2
ii libjs-jquery-timepicker 1.2-1
ii libjs-pdf 0.8.37+dfsg-1
ii libphp-phpmailer 5.1-1
ii mediawiki 1:1.19.8+dfsg-2.1
ii owncloud-doc 0~20131024-1
ii owncloud-mysql 5.0.13+dfsg-1
ii php-aws-sdk 1.5.6.2-1
ii php-crypt-blowfish 1.1.0~RC2-1
ii php-getid3 1.9.7-1
ii php-google-api-php-client 0.6.2-1
ii php-irods-prods 3.3.0~beta1-1
ii php-mdb2 2.5.0b5-1
ii php-mdb2-schema 0.8.5-1
ii php-patchwork-utf8 1.1.7-1
ii php-pear 5.5.5+dfsg-1
ii php-sabre-dav 1.7.6+dfsg-2
ii php-sabre-vobject 2.0.7-1
ii php-seclib 0.3.5-2
ii php-symfony-routing 2.0.19-1
ii php-xml-parser 1.3.4-6
ii php5 5.5.5+dfsg-1
ii php5-curl 5.5.5+dfsg-1
ii php5-gd 5.5.5+dfsg-1
ii php5-json 1.3.2-2
Versions of packages owncloud recommends:
ii clamav 0.97.8+dfsg-1
ii curl 7.33.0-1
ii liboauth-php 0~svn1262-1
ii php-services-json 1.0.3-1
ii php5-cli 5.5.5+dfsg-1
ii php5-intl 5.5.5+dfsg-1
ii php5-ldap 5.5.5+dfsg-1
ii postfix [mail-transport-agent] 2.10.2-1
ii smbclient 2:4.0.10+dfsg-4
ii zendframework 1.12.3-1
Versions of packages owncloud suggests:
pn libapache2-mod-xsendfile <none>
-- Configuration Files:
/etc/owncloud/htaccess [Errno 13] Permission denied: u'/etc/owncloud/htaccess'
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: owncloud
Source-Version: 5.0.13+dfsg-2
We believe that the bug you reported is fixed in the latest version of
owncloud, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated owncloud package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 18 Nov 2013 18:59:14 -0400
Source: owncloud
Binary: owncloud owncloud-mysql owncloud-pgsql owncloud-sqlite
Architecture: source all
Version: 5.0.13+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: ownCloud for Debian maintainers
<[email protected]>
Changed-By: David Prévot <[email protected]>
Description:
owncloud - cloud storage for files, music, contacts, calendars and many more
owncloud-mysql - meta-package providing MySQL dependencies for ownCloud
owncloud-pgsql - meta-package providing PostgreSQL dependencies for ownCloud
owncloud-sqlite - meta-package providing SQLite dependencies for ownCloud
Closes: 729762 729811 729862
Changes:
owncloud (5.0.13+dfsg-2) unstable; urgency=low
.
* Verify GPG signature on download
* Fix fonts-font-awesome symlink
Thanks to Jan Wagner <[email protected]> (Closes: #729811)
* Fix incorrect escapes in vCard FN (full name)
Thanks to Simon McVittie <[email protected]> (Closes: #729862)
* Fix htaccess in data directory
Thanks to Craig Small <[email protected]> (Closes: #729762)
Checksums-Sha1:
cb804d3853d9ef4157e0edf2e31dc05453b64d5a 1858 owncloud_5.0.13+dfsg-2.dsc
0ed91147ef21134bd58f78f4eb0b5bea6daed503 70995
owncloud_5.0.13+dfsg-2.debian.tar.gz
51e791e71ff05f14bd4a160a6714675339f42d14 2355664 owncloud_5.0.13+dfsg-2_all.deb
39757a9dd544ed02fff1939a286dabdff91796ee 48530
owncloud-mysql_5.0.13+dfsg-2_all.deb
27fa68663501c359960606f78f7ac7275d53ffb2 69268
owncloud-pgsql_5.0.13+dfsg-2_all.deb
33f61a189dbea4e414573ac5bb32929023b970e5 68858
owncloud-sqlite_5.0.13+dfsg-2_all.deb
Checksums-Sha256:
67e14da33930c6686a58ad55ad82390266f15cec1c11c224856be0cb76ff5e24 1858
owncloud_5.0.13+dfsg-2.dsc
1d1fd5202887dd34f50004267d5f5ac297b7e191c71193851cc91a9d00c3a217 70995
owncloud_5.0.13+dfsg-2.debian.tar.gz
7d6262d6cdf20ee03cfa5c18b2086610689d51cff4a9448523ccf9d1f93e0b8c 2355664
owncloud_5.0.13+dfsg-2_all.deb
5c4dd0b295e69cebb067cfebf89d5060b85641acc356904ebf8fa2e76f443f48 48530
owncloud-mysql_5.0.13+dfsg-2_all.deb
e38f35de01a57f8dd366008d278dd53090334ea4b25c588a09fc64feaf6bbb60 69268
owncloud-pgsql_5.0.13+dfsg-2_all.deb
ba09579f7ecc65c595af07ebefa8ff55f08452222580d7220fd3bc2727998fed 68858
owncloud-sqlite_5.0.13+dfsg-2_all.deb
Files:
fe36bd8a7f6f7b4678c44ad7d9c641f0 1858 web extra owncloud_5.0.13+dfsg-2.dsc
f642cf5f67da873edfe82568410a953f 70995 web extra
owncloud_5.0.13+dfsg-2.debian.tar.gz
0befbfe38773c86cfccc9ee53c8f21ad 2355664 web extra
owncloud_5.0.13+dfsg-2_all.deb
9231749e6993741da1050ce26af7e359 48530 web extra
owncloud-mysql_5.0.13+dfsg-2_all.deb
758cd1f010da24e4ee2767a5d9a18f3b 69268 web extra
owncloud-pgsql_5.0.13+dfsg-2_all.deb
9110ebcfb7379313566d319068a9f4be 68858 web extra
owncloud-sqlite_5.0.13+dfsg-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAEBCAAGBQJSip2+AAoJEAWMHPlE9r08CBsH/jPC/MX2nihI5X9gSkCwHcey
U5UFDUD/LZLVKUOJMi/WhbJqF4twpI/qFFKCYSa9Fwv0IQHnEss7doONeJ7n9kPK
jDTXztXds+Y/M38qmh1/BoAyjjJLRfcw/PcJbTn4L1wIDf54NytTU0sDC57ehktT
11gT+0DnVTbOMtfDv+bpc9OiUm9R+WQUvDqLa5MPZo5UCGL1RukJQoyE6FQBIVnh
x4J+YLquD4qZOzbAvMItP/1ddl2WQkkU9cgl7q45JwMqRClokOn/6Bxr30rHRlYJ
V6Px/3dXNwvWA/7KUe9cr3+d05tla4GPTS8gOi50a6N9XAY265EYvQpI3HuBPew=
=cv8T
-----END PGP SIGNATURE-----
--- End Message ---
