1) CVE-2020-8138 Description: "A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL." URL: https://nextcloud.com/security/advisory/?id=NC-SA-2020-014 2) CVE-2020-8139 Description: "A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL." URL: https://nextcloud.com/security/advisory/?id=NC-SA-2020-015
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8effbb3d50baff2d4f495b5e7394263138c7d582 commit 8effbb3d50baff2d4f495b5e7394263138c7d582 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-03-25 22:49:19 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-03-25 22:49:41 +0000 www-apps/nextcloud: drop vulnerable versions Bug: https://bugs.gentoo.org/713724 Package-Manager: Portage-2.3.96, Repoman-2.3.21 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 3 --- www-apps/nextcloud/nextcloud-16.0.8.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-17.0.3.ebuild | 41 ------------------------------ www-apps/nextcloud/nextcloud-18.0.1.ebuild | 41 ------------------------------ 4 files changed, 126 deletions(-)
@ maintainer(s): Please update to >=18.0.3, >=17.0.5, too. These are out-of-band security releases... No further information available yet, > As a matter of policy, we don’t give details about security fixes until < 2 weeks after release because that gives the Bad Folks tips on how to < exploit them. In 2 weeks, we will have published security advisories > with impact analysis on https://nextcloud.com/security/ 1 as usual. https://help.nextcloud.com/t/is-update-to-18-03-real/74909/25
Ack, these new releases are on https://nextcloud.com/changelog/ now too. Quick testing and update in progress
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af744194eb8c0bac0db8d8a4ee91aa8ecb2493fd commit af744194eb8c0bac0db8d8a4ee91aa8ecb2493fd Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-03-26 00:50:04 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-03-26 00:50:23 +0000 www-apps/nextcloud: 18.0.3, 17.0.5 security bumps These are security updates, replacing the previous versions in tree Bug: https://bugs.gentoo.org/713724 Package-Manager: Portage-2.3.96, Repoman-2.3.21 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 4 ++-- .../nextcloud/{nextcloud-17.0.4.ebuild => nextcloud-17.0.5.ebuild} | 0 .../nextcloud/{nextcloud-18.0.2.ebuild => nextcloud-18.0.3.ebuild} | 0 3 files changed, 2 insertions(+), 2 deletions(-)
Tree is clean, thank you!
