Bug 27410 - nextcloud new security issues CVE-2020-8183 and CVE-2020-8233
Summary: nextcloud new security issues CVE-2020-8183 and CVE-2020-8233
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker normal
Target Milestone: ---
Assignee: Joseph Wang
QA Contact: Sec team
URL: https://nextcloud.com/changelog/
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2020-10-13 20:03 CEST by David Walser
Modified: 2020-10-21 11:32 CEST (History)
3 users (show)

See Also:
Source RPM: nextcloud-15.0.14-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-13 20:03:27 CEST
openSUSE has issued an advisory on October 11:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00020.html

The issues are fixed upstream in 18.0.7 and 19.0.1:
https://nextcloud.com/security/advisory/?id=NC-SA-2020-026
https://nextcloud.com/security/advisory/?id=NC-SA-2020-029

It looks like what we need to do is update the backported nextcloud in Mageia 7 and drop the superfluous nextcloud17 and nextcloud18 packages in Cauldron.
David Walser 2020-10-13 20:03:37 CEST

Priority: Normal => release_blocker

Comment 1 Morgan Leijström 2020-10-14 17:56:43 CEST
(In reply to David Walser from comment #0)
> It looks like what we need to do is update the backported nextcloud in
> Mageia 7 and drop the superfluous nextcloud17 and nextcloud18 packages in
> Cauldron.

Nextcloud 20 is released, so should be in cauldron; - drop other versions.

In mga7 backports replace current 18.x with latest 18, now 18.0.10

And add latest 19, now at 19.0.4

CC: (none) => fri
URL: (none) => https://nextcloud.com/changelog/

Comment 2 Morgan Leijström 2020-10-14 18:01:09 CEST
order should be
new 18
new 19
new 20
remove old 18 & 19
Comment 3 Aurelien Oudelet 2020-10-14 18:44:52 CEST
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => mageia
Keywords: (none) => Triaged

Comment 4 Marc Krämer 2020-10-19 10:20:51 CEST
someone working on this?

CC: (none) => mageia

Comment 5 David Walser 2020-10-21 04:19:00 CEST
nextcloud-19.0.4-1.mga8 uploaded for Cauldron by Joseph Wang.

Still need to drop nextcloud17 and nextcloud18 from Cauldron and update the mga7 backports package.
Comment 6 Morgan Leijström 2020-10-21 10:56:22 CEST
Thank you Joseph
Joseph Wang is the de facto maintainer.
Not knowing winch of the two email to use, I set both.

CC: (none) => joequant
Assignee: mageia => joequant

Comment 7 Morgan Leijström 2020-10-21 11:32:52 CEST
Input from Joseph: https://ml.mageia.org/l/arc/dev/2020-10/msg00246.html

Note You need to log in before you can comment on or make changes to this bug.