Bug 774252 (CVE-2020-8296, CVE-2021-22877, CVE-2021-22878)

Summary:	<www-apps/nextcloud-20.0.6: multiple vulnerabilities (CVE-2020-8296, CVE-2021-{22877,22878})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	polynomial-c, voyageur, web-apps
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [noglsa cve]
Package list:	www-apps/nextcloud-20.0.8	Runtime testing required:	---

Description John Helmert III archtester

2021-03-05 02:51:29 UTC

CVE-2020-8296 (https://nextcloud.com/security/advisory/?id=NC-SA-2021-006):

Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

CVE-2021-22877 (https://nextcloud.com/security/advisory/?id=NC-SA-2021-004):

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

CVE-2021-22878 (https://nextcloud.com/security/advisory/?id=NC-SA-2021-005):

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.


These are fixed in 20.0.6, please stabilize a suitable version.

Comment 1 Agostino Sarubbo gentoo-dev

2021-03-05 14:18:48 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2021-03-05 14:19:46 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 16:30:09 UTC

We currently cannot target multiple branches with unique slots per ebuild in GLSA.

Repository is clean, all done.