Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878491 (CVE-2022-39329, CVE-2022-39330, CVE-2022-39364) - <www-apps/nextcloud-{23.0.10,24.0.6}: multiple vulnerabilities
Summary: <www-apps/nextcloud-{23.0.10,24.0.6}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-39329, CVE-2022-39330, CVE-2022-39364
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 879203
Blocks:
  Show dependency tree
 
Reported: 2022-10-28 02:20 UTC by John Helmert III
Modified: 2022-12-08 01:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-28 02:20:15 UTC
CVE-2022-39364 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpf5-jj85-36h5):
https://github.com/nextcloud/server/pull/33689
https://hackerone.com/reports/1652903

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.

CVE-2022-39330 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c):
https://github.com/nextcloud/circles/pull/1147
https://hackerone.com/reports/1688199

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app.

CVE-2022-39329 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3):
https://github.com/nextcloud/server/pull/33643
https://hackerone.com/reports/1675014

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

Please bump to 23.0.10 and 24.0.6.
Comment 1 Bernard Cafarelli gentoo-dev 2022-11-02 21:04:31 UTC
23.0.10 and 24.0.6 are in tree (I bumped before seeing this bug) - 24.0.6 is now new stable target in bug #879203
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 21:48:15 UTC
Thank you! Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2022-11-02 22:29:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26eb686e89c87122150742e6d9d818fa64853f57

commit 26eb686e89c87122150742e6d9d818fa64853f57
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2022-11-02 22:29:35 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2022-11-02 22:29:35 +0000

    www-apps/nextcloud: drop 23.0.8, 23.0.9, 24.0.5
    
    Bug: https://bugs.gentoo.org/878491
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  3 ---
 www-apps/nextcloud/nextcloud-23.0.8.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-23.0.9.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-24.0.5.ebuild | 43 ------------------------------
 4 files changed, 132 deletions(-)
Comment 4 Bernard Cafarelli gentoo-dev 2022-11-02 22:30:51 UTC
Done, 24.0.6 is now current stable version, I left 23.0.10 for those wanting to stay on 23.x (which is still maintained)