CVE-2022-31118 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq): Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`. CVE-2022-31120 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9qvg-7fwg-722x): Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerbates the impact of CVE-2022-31118. It is recommended that the Nextcloud Server is upgraded to 22.2.7, 23.0.4 or 24.0.0. There are no workarounds available. Please stabilize 23.0.6.
Stable request filled for 23.0.7 (closest in tree), 24.x vulnerable versions already dropped with ed1323bfa92b0b1ebd43875d3aa780f80f2750ba
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0bac4324bf6581e2f57a64140b445e1349663fe6 commit 0bac4324bf6581e2f57a64140b445e1349663fe6 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-08-20 08:09:17 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-08-20 08:09:17 +0000 www-apps/nextcloud: drop 23.0.5 Bug: https://bugs.gentoo.org/864439 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 1 - www-apps/nextcloud/nextcloud-23.0.5.ebuild | 43 ------------------------------ 2 files changed, 44 deletions(-)
Thanks!
