Bugs affecting versions in the portage tree: https://nvd.nist.gov/vuln/detail/CVE-2019-15613 https://nvd.nist.gov/vuln/detail/CVE-2019-15617 https://nvd.nist.gov/vuln/detail/CVE-2020-8119 Please see also other reported nextcloud bugs: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15612 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15616 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15618 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15621 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15623 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15624 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8117 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8118 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8121 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8122
*affected versions in tree = 17.0.0 , 17.0.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8246b261f83799e866fa6f316fcfb78ec95d6fcd commit 8246b261f83799e866fa6f316fcfb78ec95d6fcd Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-02-06 08:58:40 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-02-06 08:58:56 +0000 www-apps/nextcloud: drop old versions First 17.0 are also affected by security bug Bug: https://bugs.gentoo.org/708300 Package-Manager: Portage-2.3.87, Repoman-2.3.20 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 6 ----- www-apps/nextcloud/nextcloud-16.0.5.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-16.0.6.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-16.0.7.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-17.0.0.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-17.0.1.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-17.0.2.ebuild | 41 ------------------------------ 7 files changed, 252 deletions(-)
*** Bug 708616 has been marked as a duplicate of this bug. ***
there is one more, affecting version 16.0.1 (not in tree): https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8120
Closing For reference so no links are needed: CVE-2019-15612 CVE ID: CVE-2019-15612 Summary: A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2019-15613 CVE ID: CVE-2019-15613 Summary: A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15616 CVE ID: CVE-2019-15616 Summary: Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15617 CVE ID: CVE-2019-15617 Summary: A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15618 CVE ID: CVE-2019-15618 Summary: Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15621 CVE ID: CVE-2019-15621 Summary: Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15623 CVE ID: CVE-2019-15623 Summary: Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2019-15624 CVE ID: CVE-2019-15624 Summary: Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. Published: Not yet published -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 CVE-2020-8117 CVE ID: CVE-2020-8117 Summary: Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2020-8118 CVE ID: CVE-2020-8118 Summary: An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2020-8119 CVE ID: CVE-2020-8119 Summary: Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2020-8120 CVE ID: CVE-2020-8120 Summary: A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2020-8121 CVE ID: CVE-2020-8121 Summary: A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300 CVE-2020-8122 CVE ID: CVE-2020-8122 Summary: A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. Published: 2020-02-04T20:15:00.000Z -------------------------------------------------------------------------------- State: ASSIGNED Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300
