Bug 713724 (CVE-2020-8138, CVE-2020-8139)

Summary:	<www-apps/nextcloud-{16.0.9,17.0.5,18.0.3}: Multiple vulnerabilities (CVE-2020-{8138,8139})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	voyageur, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~3 [noglsa cve]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-03-21 00:04:00 UTC

1) CVE-2020-8138
Description:
"A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL."

URL: https://nextcloud.com/security/advisory/?id=NC-SA-2020-014

2) CVE-2020-8139
Description:
"A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL."

URL: https://nextcloud.com/security/advisory/?id=NC-SA-2020-015

Comment 1 Larry the Git Cow gentoo-dev

2020-03-25 22:49:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8effbb3d50baff2d4f495b5e7394263138c7d582

commit 8effbb3d50baff2d4f495b5e7394263138c7d582
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-03-25 22:49:19 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-03-25 22:49:41 +0000

    www-apps/nextcloud: drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/713724
    Package-Manager: Portage-2.3.96, Repoman-2.3.21
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  3 ---
 www-apps/nextcloud/nextcloud-16.0.8.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-17.0.3.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-18.0.1.ebuild | 41 ------------------------------
 4 files changed, 126 deletions(-)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 00:21:19 UTC

@ maintainer(s): Please update to >=18.0.3, >=17.0.5, too. These are out-of-band security releases... 

No further information available yet,

> As a matter of policy, we don’t give details about security fixes until
< 2 weeks after release because that gives the Bad Folks tips on how to
< exploit them. In 2 weeks, we will have published security advisories
> with impact analysis on https://nextcloud.com/security/ 1 as usual.

https://help.nextcloud.com/t/is-update-to-18-03-real/74909/25

Comment 3 Bernard Cafarelli gentoo-dev

2020-03-26 00:30:41 UTC

Ack, these new releases are on https://nextcloud.com/changelog/ now too. Quick testing and update in progress

Comment 4 Larry the Git Cow gentoo-dev

2020-03-26 01:07:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af744194eb8c0bac0db8d8a4ee91aa8ecb2493fd

commit af744194eb8c0bac0db8d8a4ee91aa8ecb2493fd
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-03-26 00:50:04 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-03-26 00:50:23 +0000

    www-apps/nextcloud: 18.0.3, 17.0.5 security bumps
    
    These are security updates, replacing the previous versions in tree
    
    Bug: https://bugs.gentoo.org/713724
    Package-Manager: Portage-2.3.96, Repoman-2.3.21
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                                           | 4 ++--
 .../nextcloud/{nextcloud-17.0.4.ebuild => nextcloud-17.0.5.ebuild}    | 0
 .../nextcloud/{nextcloud-18.0.2.ebuild => nextcloud-18.0.3.ebuild}    | 0
 3 files changed, 2 insertions(+), 2 deletions(-)

Comment 5 Sam James archtester

2020-04-05 23:15:30 UTC

Tree is clean, thank you!