Summary: | <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2021-{32653,32654,32655,32656,32657}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | polynomial-c, voyageur, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+] | ||
Package list: |
www-apps/nextcloud-20.0.10
|
Runtime testing required: | --- |
Bug Depends on: | 802096 | ||
Bug Blocks: |
Description
John Helmert III
2021-06-21 02:47:32 UTC
CVE-2021-32654: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing. CVE-2021-32655: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist. CVE-2021-32653: Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4097965ae6371905873ae3979ed61bf265e560ab commit 4097965ae6371905873ae3979ed61bf265e560ab Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-21 22:18:18 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-21 22:18:38 +0000 www-apps/nextcloud: drop security vulnerable versions Bug: https://bugs.gentoo.org/797253 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 3 -- www-apps/nextcloud/nextcloud-19.0.10.ebuild | 43 ----------------------------- www-apps/nextcloud/nextcloud-20.0.9.ebuild | 43 ----------------------------- www-apps/nextcloud/nextcloud-21.0.1.ebuild | 43 ----------------------------- 4 files changed, 132 deletions(-) I cleaned 19.x and 21.x, for 20 we will need to stabilize newer 20.0.10 (I preferred to wait for normal stabilization to switch stable to new major version 21) ALLARCHES stable. Closing. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f commit b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-22 06:57:25 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-22 06:57:25 +0000 www-apps/nextcloud: drop vulnerable 20.x version Bug: https://bugs.gentoo.org/797253 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 1 - www-apps/nextcloud/nextcloud-20.0.8.ebuild | 43 ------------------------------ 2 files changed, 44 deletions(-) (In reply to Agostino Sarubbo from comment #5) > ALLARCHES stable. Closing. We've hit this bug before, right? Unable to check for sanity:
> no match for package: www-apps/nextcloud-20.0.10
20.0.10 was dropped for bug 802096 (newer vulnerability) Current stable version is 23.0.3 and the mentioned major versions here are not in tree anymore The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386 commit b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-10 22:31:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-10 22:33:19 +0000 [ GLSA 202208-17 ] Nextcloud: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/797253 Bug: https://bugs.gentoo.org/802096 Bug: https://bugs.gentoo.org/812443 Bug: https://bugs.gentoo.org/820368 Bug: https://bugs.gentoo.org/834803 Bug: https://bugs.gentoo.org/835073 Bug: https://bugs.gentoo.org/848873 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-17.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) GLSA released, all done! |