Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797706 (CVE-2021-22895) - <net-misc/nextcloud-client-3.1.3: improper certificate validation (CVE-2021-22895)
Summary: <net-misc/nextcloud-client-3.1.3: improper certificate validation (CVE-2021-2...
Status: IN_PROGRESS
Alias: CVE-2021-22895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/nextcloud/security...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-23 02:32 UTC by John Helmert III
Modified: 2021-07-29 18:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-23 02:32:11 UTC
CVE-2021-22895:

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.


Please bump.
Comment 1 Bernard Cafarelli gentoo-dev 2021-06-23 07:18:22 UTC
It looks like they made a mistake on version (3.1.3 instead of 3.3.1) as latest is 3.2.2

Checking the original link [0], it points to the fix [1] which is indeed mentioned in 3.1.3 changes [2]

Nice thing is 3.1.3 is already stable, I will clean older verisons


[0] https://hackerone.com/reports/903424
[1] https://github.com/nextcloud/desktop/pull/2926
[2] https://github.com/nextcloud/desktop/releases/tag/v3.1.3
Comment 2 Larry the Git Cow gentoo-dev 2021-06-23 07:21:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f77347204605c4df8936e4547c66d7e3cf1ca05a

commit f77347204605c4df8936e4547c66d7e3cf1ca05a
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-23 07:20:39 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-23 07:20:39 +0000

    net-misc/nextcloud-client: drop old and vulnerable versions
    
    Bug: https://bugs.gentoo.org/797706
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-misc/nextcloud-client/Manifest                 |  3 -
 .../nextcloud-client-2.6.1-include_tests.patch     | 22 ------
 .../nextcloud-client/nextcloud-client-2.6.5.ebuild | 89 ----------------------
 .../nextcloud-client-3.1.1-r1.ebuild               | 89 ----------------------
 .../nextcloud-client/nextcloud-client-3.1.1.ebuild | 89 ----------------------
 .../nextcloud-client/nextcloud-client-3.1.2.ebuild | 89 ----------------------
 6 files changed, 381 deletions(-)
Comment 3 John Helmert III gentoo-dev Security 2021-06-23 20:40:32 UTC
(In reply to Bernard Cafarelli from comment #1)
> It looks like they made a mistake on version (3.1.3 instead of 3.3.1) as
> latest is 3.2.2
> 
> Checking the original link [0], it points to the fix [1] which is indeed
> mentioned in 3.1.3 changes [2]
> 
> Nice thing is 3.1.3 is already stable, I will clean older verisons

Thank you! I opened a discussion in their security advisory repo.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:21:30 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:29:39 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:37:37 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:45:42 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:53:47 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:01:40 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:10:02 UTC
Package list is empty or all packages have requested keywords.