CVE-2021-22895: Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. Please bump.
It looks like they made a mistake on version (3.1.3 instead of 3.3.1) as latest is 3.2.2 Checking the original link [0], it points to the fix [1] which is indeed mentioned in 3.1.3 changes [2] Nice thing is 3.1.3 is already stable, I will clean older verisons [0] https://hackerone.com/reports/903424 [1] https://github.com/nextcloud/desktop/pull/2926 [2] https://github.com/nextcloud/desktop/releases/tag/v3.1.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f77347204605c4df8936e4547c66d7e3cf1ca05a commit f77347204605c4df8936e4547c66d7e3cf1ca05a Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-23 07:20:39 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-23 07:20:39 +0000 net-misc/nextcloud-client: drop old and vulnerable versions Bug: https://bugs.gentoo.org/797706 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-misc/nextcloud-client/Manifest | 3 - .../nextcloud-client-2.6.1-include_tests.patch | 22 ------ .../nextcloud-client/nextcloud-client-2.6.5.ebuild | 89 ---------------------- .../nextcloud-client-3.1.1-r1.ebuild | 89 ---------------------- .../nextcloud-client/nextcloud-client-3.1.1.ebuild | 89 ---------------------- .../nextcloud-client/nextcloud-client-3.1.2.ebuild | 89 ---------------------- 6 files changed, 381 deletions(-)
(In reply to Bernard Cafarelli from comment #1) > It looks like they made a mistake on version (3.1.3 instead of 3.3.1) as > latest is 3.2.2 > > Checking the original link [0], it points to the fix [1] which is indeed > mentioned in 3.1.3 changes [2] > > Nice thing is 3.1.3 is already stable, I will clean older verisons Thank you! I opened a discussion in their security advisory repo.
Package list is empty or all packages have requested keywords.
Minimal impact, no GLSA. All done!