CVE-2022-39346: Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue. Please bump.
CVE-2022-41968 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v): Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available. CVE-2022-41969 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx): Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords. CVE-2022-41970 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cph8-772c): Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available. So, fixes in: 23.0.11, 24.0.7, 25.0.1. Please stabilize a fixed version and cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd0343c0acd0393b0ec2e79e70bf4d51902fe08a commit cd0343c0acd0393b0ec2e79e70bf4d51902fe08a Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-12-02 07:58:05 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-12-02 07:58:22 +0000 www-apps/nextcloud: drop 23.0.10, 25.0.0 Bug: https://bugs.gentoo.org/883683 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 2 -- www-apps/nextcloud/nextcloud-23.0.10.ebuild | 43 ----------------------------- www-apps/nextcloud/nextcloud-25.0.0.ebuild | 43 ----------------------------- 3 files changed, 88 deletions(-)
23.x and 25.x done, stable request opened for 24.0.7
If we're keeping 23.x around, maybe should stabilize that too?
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0497b49bb838a6b43c9790de27797bd9d52b36b commit f0497b49bb838a6b43c9790de27797bd9d52b36b Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-12-06 20:15:30 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-12-06 20:15:30 +0000 www-apps/nextcloud: drop 24.0.6 Bug: https://bugs.gentoo.org/883683 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 1 - www-apps/nextcloud/nextcloud-24.0.6.ebuild | 43 ------------------------------ 2 files changed, 44 deletions(-)
