[Owncloud] Security: Change your PostgreSQL database password

Lukas Reschke lukas at owncloud.org
Thu Apr 11 14:24:54 UTC 2013


Hey all,

With todays release we fixed a major security vulnerability related to our
installation routine. (oC-SA-2013-015, CVE-2013-1941)

In our installation process, a new database user is generated with a random
password. However, our PostgreSQL setup routine was using the PHP function
time() as random source, which allows an attacker to guess the database
password very easily.

We highly recommend any PostgreSQL user to change the database password
(have a look at config/config.php). Sorry for any inconvenience this might
cause.

Thanks,
Lukas

-- 
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130411/6c567756/attachment.html>


More information about the Owncloud mailing list