Topic: Owncloud claims PHP 5.3.3 is vulnerable

[stephdl]

I'm working on owncloud V5 currently and now directly after the installation during the first setting we see a warning about a php vulnerability.

Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243)
Please update your PHP installation to use ownCloud securely.

however our friend of clearos seem to be concerned too :p
as i found a post on this topic.

it seems that owncloud don't look about the php version (around 5.3.3), but if the vulnerability exists in our php code.

Maybe a part of the solution will be to upgrade php to 5.4 or higher, but i don't know if it is possible.

Your thoughts before to go to bugzilla :p

[CharlieBrady]

Your thoughts before to go to bugzilla :p

My thoughts are that you are being irresponsible posting this here, rather than to bugzilla with the 'security' box checked.

[stephdl]

 
hide vulnerability this is a microsoft method. Moreover it is not a SME vulnerability since it comes from php and thus lot of distros are concerned.
But i wasn't aware of this possibility to check a"security"box in bugzilla, can you be more talkative about that...who read  this specific bug of security if the box is checked ?

[CharlieBrady]

hide vulnerability this is a microsoft method.

Please do some reading on 'responsible disclosure'.

But i wasn't aware of this possibility to check a"security"box in bugzilla, can you be more talkative about that...who read  this specific bug of security if the box is checked ?

Members of the SME server security team.

[stephdl]

For frenchies like me...follow this link http://en.wikipedia.org/wiki/Responsible_disclosure but i realize that i'm completely full debian as i can read this in the chapter 3 of their Debian Social Contract : We will not hide problems

Thank for sharing your experience CB

[janet]

stephdl

...debian....We will not hide problems....

sme developers are not hiding problems.
They prefer a process whereby security issues can be reported securely, without publicly drawing further attention to the problem(s) & highlighting the fact to thousands of hackers, that sme server may have a security vulnerability.
sme developers prefer to quietly fix the security issue, then publicly announce the bug & release appropriate updated packages at the same time.
That way users can fix their servers before hackers have a chance to gain access via the security bug or issue.
This has been the sme way for many years now, & is a good approach in my opinion.

[azche24]

edit: bug filed since 22.05.2013 and made notice in howto@wiki

[janet]

stephdl

Did you post the bug as suggested by Charlie ?

azche24

If a bug has been posted then the matter should be fixed in due course.
If you want something in the wiki more quickly than that, then please request wiki edit access & make the appropriate change yourself. It's very easy to do, & as a community it's good if everyone contributes something positive as they become aware of it. Many hands make light work. Look in your forum user profile to request wiki edit group membership. Thanks

[ReetP]

Bug has been posted :

http://bugs.contribs.org/show_bug.cgi?id=7613

Includes workaround to update PHP

[stephdl]

stephdl

Did you post the bug as suggested by Charlie ?

Sorry but i haven't had time to do it these last days, but as i can see someone did it some days before i noticed the issue, so as i say often in french " il est souvent urgent d'attendre" (it is often urgent to wait)
i have updated the wiki page to point to the workaround http://wiki.contribs.org/OwnCloud#Warning