Download ownCloud Server 9.0.4 / 8.2.7 / 8.1.9 / 8.0.14

Updates have been released for ownCloud server versions from the 9.0, 8.2, 8.1 and 8.0 series. OwnCloud is an open source project that makes it possible to run cloud storage in-house. It is easy to set up as all you need is a server running PHP and MySQL. In addition to storing and sharing files, it is also possible to stream music or keep a calendar and address book, for example. The server needs Windows or Linux, clients are available for Windows, Linux, macOS, Android and iOS. The updates should fix some bugs and security issues. More information about this can be found in the release notes.

ownCloud 9.0.4, 8.2.7, 8.1.9, 8.0.14 released
We have released ownCloud server versions 9.0.4, 8.2.7, 8.1.9 and 8.0.14which contain several bug fixes as well as security-related issues.

A third party component called “Guzzle” is affected by HTTPoxy vulnerability (as filed as CVE-2016-5385 for PHP). This component, which handles http requests on behalf of ownCloud can be tricked into passing inbound requests to a proxy server controlled by a third party. In combination with the ajax cron feature, the third party can potentially see external storage credentials and data. We recommend to use system cron whenever possible, which also significantly improves reliability and experience.

Mitigation/Fix
If possible, we recommend an immediate update to 9.0.4, 8.2.7 or 8.1.9 respectively, which each contain a patch for Guzzle. ownCloud 8.0 is shipping an older version of Guzzle and is not affected. However, 8.0.14 fixes a number of other issues and we encourage everyone on older versions of 8.0 to update right away as well.

If you cannot update immediately, please consider adding server-level workarounds for the HTTPoxy issue. For more details, read the full change log.