CVE-2022-39364 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpf5-jj85-36h5): https://github.com/nextcloud/server/pull/33689 https://hackerone.com/reports/1652903 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`. CVE-2022-39330 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c): https://github.com/nextcloud/circles/pull/1147 https://hackerone.com/reports/1688199 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app. CVE-2022-39329 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3): https://github.com/nextcloud/server/pull/33643 https://hackerone.com/reports/1675014 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available. Please bump to 23.0.10 and 24.0.6.
23.0.10 and 24.0.6 are in tree (I bumped before seeing this bug) - 24.0.6 is now new stable target in bug #879203
Thank you! Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26eb686e89c87122150742e6d9d818fa64853f57 commit 26eb686e89c87122150742e6d9d818fa64853f57 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-11-02 22:29:35 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-11-02 22:29:35 +0000 www-apps/nextcloud: drop 23.0.8, 23.0.9, 24.0.5 Bug: https://bugs.gentoo.org/878491 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/nextcloud/Manifest | 3 --- www-apps/nextcloud/nextcloud-23.0.8.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-23.0.9.ebuild | 43 ------------------------------ www-apps/nextcloud/nextcloud-24.0.5.ebuild | 43 ------------------------------ 4 files changed, 132 deletions(-)
Done, 24.0.6 is now current stable version, I left 23.0.10 for those wanting to stay on 23.x (which is still maintained)
