Bug 878491 (CVE-2022-39329, CVE-2022-39330, CVE-2022-39364)

Summary:	<www-apps/nextcloud-{23.0.10,24.0.6}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	voyageur, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	879203
Bug Blocks:

Description John Helmert III archtester

2022-10-28 02:20:15 UTC

CVE-2022-39364 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpf5-jj85-36h5):
https://github.com/nextcloud/server/pull/33689
https://hackerone.com/reports/1652903

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.

CVE-2022-39330 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c):
https://github.com/nextcloud/circles/pull/1147
https://hackerone.com/reports/1688199

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app.

CVE-2022-39329 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3):
https://github.com/nextcloud/server/pull/33643
https://hackerone.com/reports/1675014

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

Please bump to 23.0.10 and 24.0.6.

Comment 1 Bernard Cafarelli gentoo-dev

2022-11-02 21:04:31 UTC

23.0.10 and 24.0.6 are in tree (I bumped before seeing this bug) - 24.0.6 is now new stable target in bug #879203

Comment 2 John Helmert III archtester

2022-11-02 21:48:15 UTC

Thank you! Please cleanup

Comment 3 Larry the Git Cow gentoo-dev

2022-11-02 22:29:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26eb686e89c87122150742e6d9d818fa64853f57

commit 26eb686e89c87122150742e6d9d818fa64853f57
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2022-11-02 22:29:35 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2022-11-02 22:29:35 +0000

    www-apps/nextcloud: drop 23.0.8, 23.0.9, 24.0.5
    
    Bug: https://bugs.gentoo.org/878491
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  3 ---
 www-apps/nextcloud/nextcloud-23.0.8.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-23.0.9.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-24.0.5.ebuild | 43 ------------------------------
 4 files changed, 132 deletions(-)

Comment 4 Bernard Cafarelli gentoo-dev

2022-11-02 22:30:51 UTC

Done, 24.0.6 is now current stable version, I left 23.0.10 for those wanting to stay on 23.x (which is still maintained)