Bug 26225

Summary: nextcloud new security issue CVE-2019-15613
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, lists.jjorge, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK MGA7-32-OK
Source RPM: nextcloud-15.0.13-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-02-20 21:04:40 CET 
openSUSE has issued an advisory on February 16:
https://lists.opensuse.org/opensuse-updates/2020-02/msg00069.html

The issue is fixed upstream in 15.0.14:
https://nextcloud.com/changelog/#latest15
https://nextcloud.com/security/advisory/?id=NC-SA-2020-002
Comment 1 José Jorge 2020-02-20 21:28:16 CET 
Working on it.
Comment 2 David Walser 2020-02-20 23:07:09 CET 
Updated packages uploaded by José:

nextcloud-15.0.14-1.mga7
nextcloud-mysql-15.0.14-1.mga7
nextcloud-postgresql-15.0.14-1.mga7
nextcloud-sqlite-15.0.14-1.mga7

from nextcloud-15.0.14-1.mga7.src.rpm
Comment 3 José Jorge 2020-02-21 12:22:05 CET 
Suggested advisory :

This is a security update for Nextcloud.

Ref:
https://nextcloud.com/changelog/#latest15
https://nextcloud.com/security/advisory/?id=NC-SA-2020-002

RPMS:
nextcloud-15.0.14-1.mga7
nextcloud-mysql-15.0.14-1.mga7
nextcloud-postgresql-15.0.14-1.mga7
nextcloud-sqlite-15.0.14-1.mga7

SRPM:
nextcloud-15.0.14-1.mga7.src.rpm

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 4 José Jorge 2020-02-21 12:22:24 CET 
I have tested in my own server, no problem.
Comment 5 David Walser 2020-02-21 14:02:08 CET 
Advisory:
========================

Updated nextcloud packages fix security vulnerability:

A bug in Nextcloud Server causes the workflow rules to depend their behavior on
the file extension when checking file mimetypes (CVE-2019-15613).

The nextcloud package has been updated to version 15.0.14, fixing this issue
and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15613
https://nextcloud.com/security/advisory/?id=NC-SA-2020-002
https://nextcloud.com/changelog/#latest15
Comment 6 Brian Rockwell 2020-02-23 02:26:29 CET 
# uname -a
Linux linux.local 5.5.4-desktop-1.mga7 #1 SMP Sat Feb 15 08:41:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I installed and started the postgresql database server


The following 44 packages are going to be installed:

- apache-2.4.41-1.2.mga7.x86_64
- apache-mod_php-7.3.15-1.mga7.x86_64
- lib64apr-util1_0-1.6.1-3.mga7.x86_64
- lib64apr1_0-1.7.0-1.mga7.x86_64
- lib64php_common7-7.3.15-1.mga7.x86_64
- lib64zip5-1.5.2-1.mga7.x86_64
- nextcloud-15.0.14-1.mga7.noarch
- nextcloud-mysql-15.0.14-1.mga7.noarch
- nextcloud-postgresql-15.0.14-1.mga7.noarch
- php-cgi-7.3.15-1.mga7.x86_64
- php-ctype-7.3.15-1.mga7.x86_64
- php-curl-7.3.15-1.mga7.x86_64
- php-dom-7.3.15-1.mga7.x86_64
- php-exif-7.3.15-1.mga7.x86_64
- php-fileinfo-7.3.15-1.mga7.x86_64
- php-filter-7.3.15-1.mga7.x86_64
- php-ftp-7.3.15-1.mga7.x86_64
- php-gd-7.3.15-1.mga7.x86_64
- php-gettext-7.3.15-1.mga7.x86_64
- php-hash-7.3.15-1.mga7.x86_64
- php-iconv-7.3.15-1.mga7.x86_64
- php-imagick-3.4.4-1.mga7.x86_64
- php-ini-7.3.15-1.mga7.x86_64
- php-intl-7.3.15-1.mga7.x86_64
- php-json-7.3.15-1.mga7.x86_64
- php-ldap-7.3.15-1.mga7.x86_64
- php-mbstring-7.3.15-1.mga7.x86_64
- php-mysqlnd-7.3.15-1.mga7.x86_64
- php-openssl-7.3.15-1.mga7.x86_64
- php-pcntl-7.3.15-1.mga7.x86_64
- php-pdo-7.3.15-1.mga7.x86_64
- php-pdo_mysql-7.3.15-1.mga7.x86_64
- php-pdo_pgsql-7.3.15-1.mga7.x86_64
- php-posix-7.3.15-1.mga7.x86_64
- php-session-7.3.15-1.mga7.x86_64
- php-sysvsem-7.3.15-1.mga7.x86_64
- php-sysvshm-7.3.15-1.mga7.x86_64
- php-tokenizer-7.3.15-1.mga7.x86_64
- php-xml-7.3.15-1.mga7.x86_64
- php-xmlreader-7.3.15-1.mga7.x86_64
- php-xmlwriter-7.3.15-1.mga7.x86_64
- php-zip-7.3.15-1.mga7.x86_64
- php-zlib-7.3.15-1.mga7.x86_64
- webserver-base-2.0-12.mga7.noarch

192MB of additional disk space will be used.

52MB of packages will be retrieved.


----

I start the httpd service.

in browser I went to 127.0.0.1/nextcloud

got the usual error message

in terminal went to /etc/nextcloud

as root I ran the command:  touch CAN_INSTALL


I refreshed the browser and it came up with the set up folder.  I picked postgresql and went through the install process.

Afterwards I was able to get into the web-page and add files.

---new install is working---

CC: (none) => brtians1

Comment 7 Brian Rockwell 2020-02-23 03:16:01 CET 
$ uname -a
Linux localhost 5.5.4-server-1.mga7 #1 SMP Sat Feb 15 09:53:54 UTC 2020 i686 i686 i386 GNU/Linux

----------

The following 3 packages are going to be installed:

- nextcloud-15.0.14-1.mga7.noarch
- nextcloud-mysql-15.0.14-1.mga7.noarch
- nextcloud-sqlite-15.0.14-1.mga7.noarch

562KB of additional disk space will be used.


----------

Ran the upgrade process from the browser

----------

My nextcloud clients are connecting and updating.  

this patch is working.

Whiteboard: (none) => MGA7-64-OK MGA7-32-OK

Comment 8 Thomas Andrews 2020-02-23 16:10:22 CET 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-24 22:12:04 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2020-02-24 22:46:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0099.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED