openSUSE has issued an advisory on August 26: https://lists.opensuse.org/opensuse-updates/2018-08/msg00154.html The issue is fixed upstream in 13.0.5.
As version 13.0.6 is out, I have pushed it directly.
Advisory: Nextcloud has issued a security fix for CVE-2018-3780 and several other bugfixes with version 13.0.5 and 13.0.6. SRPM : nextcloud-13.0.6-1.mga6.srpm RPMS : nextcloud-13.0.6-1.mga6.noarch.rpm nextcloud-mysql-13.0.6-1.mga6.noarch.rpm nextcloud-postgresql-13.0.6-1.mga6.noarch.rpm nextcloud-sqlite-13.0.6-1.mga6.noarch.rpm
Assignee: lists.jjorge => qa-bugsCC: (none) => lists.jjorgeStatus: NEW => ASSIGNED
The advisory should say what the CVE actually is, i.e.: A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users (CVE-2018-3780). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3780 https://nextcloud.com/security/advisory/?id=NC-SA-2018-008 https://nextcloud.com/changelog/#latest13 https://lists.opensuse.org/opensuse-updates/2018-08/msg00154.html
$ uname -a Linux localhost.localdomain 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 48 packages are going to be installed: - apache-2.4.27-1.1.mga6.x86_64 - apache-mod_php-5.6.38-1.mga6.x86_64 - lib64apr-util1_0-1.5.4-8.mga6.x86_64 - lib64apr1_0-1.5.2-2.1.mga6.x86_64 - lib64json2-0.12.1-1.mga6.x86_64 - lib64mbfl1-1.3.2-1.mga6.x86_64 - lib64onig2-5.9.6-2.mga6.x86_64 - lib64php5_common5-5.6.38-1.mga6.x86_64 - lib64t1lib5-5.1.2-19.mga6.x86_64 - lib64zip4-1.1.3-1.1.mga6.x86_64 - nextcloud-13.0.6-1.mga6.noarch - nextcloud-mysql-13.0.6-1.mga6.noarch - nextcloud-sqlite-13.0.6-1.mga6.noarch - php-ctype-5.6.38-1.mga6.x86_64 - php-curl-5.6.38-1.mga6.x86_64 - php-dom-5.6.38-1.mga6.x86_64 - php-exif-5.6.38-1.mga6.x86_64 - php-fileinfo-5.6.38-1.mga6.x86_64 - php-filter-5.6.38-1.mga6.x86_64 - php-ftp-5.6.38-1.mga6.x86_64 - php-gd-5.6.38-1.mga6.x86_64 - php-gettext-5.6.38-1.mga6.x86_64 - php-hash-5.6.38-1.mga6.x86_64 - php-iconv-5.6.38-1.mga6.x86_64 - php-ini-5.6.38-1.mga6.x86_64 - php-json-5.6.38-1.mga6.x86_64 - php-ldap-5.6.38-1.mga6.x86_64 - php-mbstring-5.6.38-1.mga6.x86_64 - php-mysqlnd-5.6.38-1.mga6.x86_64 - php-openssl-5.6.38-1.mga6.x86_64 - php-pcntl-5.6.38-1.mga6.x86_64 - php-pdo-5.6.38-1.mga6.x86_64 - php-pdo_mysql-5.6.38-1.mga6.x86_64 - php-pdo_sqlite-5.6.38-1.mga6.x86_64 - php-posix-5.6.38-1.mga6.x86_64 - php-session-5.6.38-1.mga6.x86_64 - php-suhosin-0.9.38-1.mga6.x86_64 - php-sysvsem-5.6.38-1.mga6.x86_64 - php-sysvshm-5.6.38-1.mga6.x86_64 - php-timezonedb-2017.2-1.mga6.x86_64 - php-tokenizer-5.6.38-1.mga6.x86_64 - php-xml-5.6.38-1.mga6.x86_64 - php-xmlreader-5.6.38-1.mga6.x86_64 - php-xmlwriter-5.6.38-1.mga6.x86_64 - php-zip-5.6.38-1.mga6.x86_64 - php-zlib-5.6.38-1.mga6.x86_64 - t1lib-config-5.1.2-19.mga6.x86_64 - webserver-base-2.0-10.mga6.noarch 169MB of additional disk space will be used. 41MB of packages will be retrieved. -------- running sqlite Installed properly, I was able to set up nextcloud with two users. Uploaded files and interfaced the with nextcloud app. All working as designed.
Whiteboard: (none) => MGA6-64-OKCC: (none) => brtians1
Since no one else has stepped forward on this one, I'm inclined to say that Brian's test is sufficient. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0394.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED