CVE-2023-25821 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w6h-5qgw-4j94): Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available. CVE-2023-25816 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-53q2-cm29-7j83): Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available. CVE-2023-25579 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v): Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue. Please stabilize 25.0.3.
CVE-2023-25159 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92g2-h5jv-jjmg): Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.
We could also go with 24.0.9 (and cleanup 25.0 old versions), though now is a good time to switch stable to 25.x - and keep the 24.x branch in ~arch with latest point releases
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=077986fa8deafff639487a5cddaf318d06769168 commit 077986fa8deafff639487a5cddaf318d06769168 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-02-28 23:34:17 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-02-28 23:34:22 +0000 www-apps/nextcloud: drop 24.0.7, 24.0.8, 25.0.1, 25.0.2 Keep latest 24.0.x and 25.0.x (unaffected by vulnerabilities) Bug: https://bugs.gentoo.org/897918 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 4 --- www-apps/nextcloud/nextcloud-24.0.7.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-24.0.8.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-25.0.1.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-25.0.2.ebuild | 43 ------------------------------ 5 files changed, 176 deletions(-)
