CVE-2021-41177 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fj39-4qx4-m3f2): Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`. CVE-2021-41178 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf): Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. Please stabilize 21.0.5.
Ack I will drop vulnerable 20.x and 22.x, and good for stabling 21.0.5
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b10e3ad11ffd645eed67c766c662c4d4b21d5f8 commit 2b10e3ad11ffd645eed67c766c662c4d4b21d5f8 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-10-27 06:21:19 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-10-27 06:21:31 +0000 www-apps/nextcloud: drop some security vulnerable versions Bug: https://bugs.gentoo.org/820368 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 2 -- www-apps/nextcloud/nextcloud-20.0.12.ebuild | 43 ----------------------------- www-apps/nextcloud/nextcloud-22.1.1.ebuild | 43 ----------------------------- 3 files changed, 88 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=267ccf7092a3957f80a8f5004a1ea140124e5c94 commit 267ccf7092a3957f80a8f5004a1ea140124e5c94 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-10-29 07:13:38 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-10-29 07:13:38 +0000 www-apps/nextcloud: drop security vulnerable version Bug: https://bugs.gentoo.org/820368 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 1 - www-apps/nextcloud/nextcloud-21.0.4.ebuild | 43 ------------------------------ 2 files changed, 44 deletions(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386 commit b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-10 22:31:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-10 22:33:19 +0000 [ GLSA 202208-17 ] Nextcloud: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/797253 Bug: https://bugs.gentoo.org/802096 Bug: https://bugs.gentoo.org/812443 Bug: https://bugs.gentoo.org/820368 Bug: https://bugs.gentoo.org/834803 Bug: https://bugs.gentoo.org/835073 Bug: https://bugs.gentoo.org/848873 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-17.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+)
GLSA released, all done!
