CVE-2023-28999 (https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf): https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files. This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available. CVE-2023-29000 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h82x-98q3-7534): https://hackerone.com/reports/1679267 The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. CVE-2023-28997 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc): https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. CVE-2023-28998 (https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf): https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. Please bump to 3.8.0.
3.8.0 is now available in ::gentoo.
Thanks! Please stabilize then.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3968a52392cb1c93367ca4ad45b00915fbb45af commit f3968a52392cb1c93367ca4ad45b00915fbb45af Author: Florian Schmaus <flow@gentoo.org> AuthorDate: 2023-05-03 08:49:47 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2023-05-03 08:50:06 +0000 net-misc/nextcloud-client: stabilize 3.8.0 for amd64 Bug: https://bugs.gentoo.org/903892 Signed-off-by: Florian Schmaus <flow@gentoo.org> net-misc/nextcloud-client/nextcloud-client-3.8.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Tree is clean: commit 71c4cb2fbc9881d98872f8c628507501b73f4855 Author: Florian Schmaus <flow@gentoo.org> Date: Wed May 3 10:51:40 2023 +0200 net-misc/nextcloud-client: drop 3.6.6, 3.7.3, 3.7.4 Signed-off-by: Florian Schmaus <flow@gentoo.org> Exploitation requires malicious server, high exploitation complexity -> no GLSA. All done!
