Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 883683 (CVE-2022-39346, CVE-2022-41968, CVE-2022-41969, CVE-2022-41970) - <www-apps/nextcloud-{23.0.11,24.0.7,25.0.1}: multiple vulnerabilities
Summary: <www-apps/nextcloud-{23.0.11,24.0.7,25.0.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-39346, CVE-2022-41968, CVE-2022-41969, CVE-2022-41970
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/nextcloud/security...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 883973
Blocks:
  Show dependency tree
 
Reported: 2022-11-30 00:14 UTC by John Helmert III
Modified: 2022-12-08 01:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-30 00:14:32 UTC
CVE-2022-39346:

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-02 01:19:46 UTC
CVE-2022-41968 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v):

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.

CVE-2022-41969 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx):

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords.

CVE-2022-41970 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cph8-772c):

Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.

So, fixes in: 23.0.11, 24.0.7, 25.0.1. Please stabilize a fixed version and cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-12-02 07:58:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd0343c0acd0393b0ec2e79e70bf4d51902fe08a

commit cd0343c0acd0393b0ec2e79e70bf4d51902fe08a
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2022-12-02 07:58:05 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2022-12-02 07:58:22 +0000

    www-apps/nextcloud: drop 23.0.10, 25.0.0
    
    Bug: https://bugs.gentoo.org/883683
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                 |  2 --
 www-apps/nextcloud/nextcloud-23.0.10.ebuild | 43 -----------------------------
 www-apps/nextcloud/nextcloud-25.0.0.ebuild  | 43 -----------------------------
 3 files changed, 88 deletions(-)
Comment 3 Bernard Cafarelli gentoo-dev 2022-12-02 07:58:56 UTC
23.x and 25.x done, stable request opened for 24.0.7
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-02 17:35:57 UTC
If we're keeping 23.x around, maybe should stabilize that too?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-03 18:52:11 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2022-12-06 20:15:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0497b49bb838a6b43c9790de27797bd9d52b36b

commit f0497b49bb838a6b43c9790de27797bd9d52b36b
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2022-12-06 20:15:30 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2022-12-06 20:15:30 +0000

    www-apps/nextcloud: drop 24.0.6
    
    Bug: https://bugs.gentoo.org/883683
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-24.0.6.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)