CVE-2022-29243 (https://github.com/nextcloud/server/pull/31658): https://hackerone.com/reports/1153138 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available. Please stabilize 23.0.4
For 22.2, we only have 22.2.7 so good For 23, we should indeed stabilize newer version, I would go for 23.0.5 to get more fixes in
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50f9c464d6b431aafc38e8ad8689b7c648806f3e commit 50f9c464d6b431aafc38e8ad8689b7c648806f3e Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-06-05 19:21:20 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-06-05 19:23:06 +0000 www-apps/nextcloud: drop 22.2.7, 23.0.3, 23.0.4 Bug: https://bugs.gentoo.org/848873 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 3 --- www-apps/nextcloud/nextcloud-22.2.7.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-23.0.3.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-23.0.4.ebuild | 43 ------------------------------ 4 files changed, 132 deletions(-)
Thanks!
