Bug 23497

As version 13.0.6 is out, I have pushed it directly.

Advisory:
Nextcloud has issued a security fix for CVE-2018-3780 and several other bugfixes with version 13.0.5 and 13.0.6.


SRPM :

nextcloud-13.0.6-1.mga6.srpm

RPMS :

nextcloud-13.0.6-1.mga6.noarch.rpm
nextcloud-mysql-13.0.6-1.mga6.noarch.rpm
nextcloud-postgresql-13.0.6-1.mga6.noarch.rpm
nextcloud-sqlite-13.0.6-1.mga6.noarch.rpm

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

The advisory should say what the CVE actually is, i.e.:

A missing sanitization of search results for an autocomplete field could lead
to a stored XSS requiring user-interaction. The missing sanitization only
affected user names, hence malicious search results could only be crafted by
authenticated users (CVE-2018-3780).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3780
https://nextcloud.com/security/advisory/?id=NC-SA-2018-008
https://nextcloud.com/changelog/#latest13
https://lists.opensuse.org/opensuse-updates/2018-08/msg00154.html

$ uname -a
Linux localhost.localdomain 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following 48 packages are going to be installed:

- apache-2.4.27-1.1.mga6.x86_64
- apache-mod_php-5.6.38-1.mga6.x86_64
- lib64apr-util1_0-1.5.4-8.mga6.x86_64
- lib64apr1_0-1.5.2-2.1.mga6.x86_64
- lib64json2-0.12.1-1.mga6.x86_64
- lib64mbfl1-1.3.2-1.mga6.x86_64
- lib64onig2-5.9.6-2.mga6.x86_64
- lib64php5_common5-5.6.38-1.mga6.x86_64
- lib64t1lib5-5.1.2-19.mga6.x86_64
- lib64zip4-1.1.3-1.1.mga6.x86_64
- nextcloud-13.0.6-1.mga6.noarch
- nextcloud-mysql-13.0.6-1.mga6.noarch
- nextcloud-sqlite-13.0.6-1.mga6.noarch
- php-ctype-5.6.38-1.mga6.x86_64
- php-curl-5.6.38-1.mga6.x86_64
- php-dom-5.6.38-1.mga6.x86_64
- php-exif-5.6.38-1.mga6.x86_64
- php-fileinfo-5.6.38-1.mga6.x86_64
- php-filter-5.6.38-1.mga6.x86_64
- php-ftp-5.6.38-1.mga6.x86_64
- php-gd-5.6.38-1.mga6.x86_64
- php-gettext-5.6.38-1.mga6.x86_64
- php-hash-5.6.38-1.mga6.x86_64
- php-iconv-5.6.38-1.mga6.x86_64
- php-ini-5.6.38-1.mga6.x86_64
- php-json-5.6.38-1.mga6.x86_64
- php-ldap-5.6.38-1.mga6.x86_64
- php-mbstring-5.6.38-1.mga6.x86_64
- php-mysqlnd-5.6.38-1.mga6.x86_64
- php-openssl-5.6.38-1.mga6.x86_64
- php-pcntl-5.6.38-1.mga6.x86_64
- php-pdo-5.6.38-1.mga6.x86_64
- php-pdo_mysql-5.6.38-1.mga6.x86_64
- php-pdo_sqlite-5.6.38-1.mga6.x86_64
- php-posix-5.6.38-1.mga6.x86_64
- php-session-5.6.38-1.mga6.x86_64
- php-suhosin-0.9.38-1.mga6.x86_64
- php-sysvsem-5.6.38-1.mga6.x86_64
- php-sysvshm-5.6.38-1.mga6.x86_64
- php-timezonedb-2017.2-1.mga6.x86_64
- php-tokenizer-5.6.38-1.mga6.x86_64
- php-xml-5.6.38-1.mga6.x86_64
- php-xmlreader-5.6.38-1.mga6.x86_64
- php-xmlwriter-5.6.38-1.mga6.x86_64
- php-zip-5.6.38-1.mga6.x86_64
- php-zlib-5.6.38-1.mga6.x86_64
- t1lib-config-5.1.2-19.mga6.x86_64
- webserver-base-2.0-10.mga6.noarch

169MB of additional disk space will be used.

41MB of packages will be retrieved.

--------

running sqlite

Installed properly, I was able to set up nextcloud with two users.  Uploaded files and interfaced the with nextcloud app.  All working as designed.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => brtians1

Since no one else has stepped forward on this one, I'm inclined to say that Brian's test is sufficient. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0394.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED