The developers have closed several security gaps in the Nextcloud collaboration software. Some of them classify them as high-risk. Some of the updates have been available for some time. IT managers should install it now.
Nextcloud: Vulnerable components News
In addition to the Nextcloud server, vulnerabilities were also found in the Cookbook and Mail components. According to a security report from the Nextcloud developers, the server lacked protection against brute force attacks on access data in the WebDAV endpoints if the user name was not an email address (CVE-2023-32319, CVSS 8.1, risk “high”) .
In addition, user sessions between the Nextcloud server and the Text App were not correctly reset on logout, allowing malicious actors to assume authentication as a previously logged-in user after a login (CVE-2023-32318, CVSS 7.2, high). Updates to Nextcloud Server 25.0.6, 26.0.1 and Enterprise 23.0.12.6, 24.0.11, 25.0.6 or 26.0.1 fix the problems. Since some newer software is already available, administrators should update to the versions currently available.
Nextcloud also offers a recipe collection as a component, the Nextcloud Cookbook. Due to a vulnerability in it, attackers could have injected commands - but this is a risk for developers working with the main repository or forks from it, users of the app in Nextcloud are not affected. Accordingly, the assessments of the scope of the gap differ somewhat. In the NIST database, CVE-2023-31128 appears with a CVSS value of 8.1 as a “high” risk assessment, while Nextcloud does not include a CVSS value in the security notification and sets the risk to “medium”. IT managers and administrators should ensure that their code is up to date with the Master and Main-0.9.x repositories.
Voici des messages d’erreurs
I don’t get it. Nextcloud version in Yunohost is 25.0.6. The latest from the v25 branch. We are waiting for 26.0.2 due to some bugs for multi installation, but it should be here any day.
I had extra times the article deposited, since it runs with me on my server. I already worry a little. Therefore, I wanted to tell everyone that the Nextcloud is currently no longer so secure.
I ran the command and I’ve upgrade nextcloud from the latest stable version 25 to the new one 26.0.2 without any problem … but … I’ve got these 2 warnings in the admin nextcloud admin panel (in French) :
summary report
Il y a quelques avertissements concernant votre configuration.
This location block in Nextcloud NGINX config should fix the warning
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
just copy and past those lines in Nextcloud NGINX config, L.106 and restart NGINX service.
The warning should disappear.
A fix is on the way but it might be nice to test it first.
Thanks @ericg so does one have to paste this under vim or is there a simpler text editor?
Since I’m not really good with vim yet. I just started with that first.
Because this vim has a lot of possibilities.
Because I’ve always used nano. But I’m sure it’s not that easy to find line 106
Da ich sonst immer nano benutzt habe. Doch damit finde ich bestimmt nicht so einfach die Zeile 106
Danke @ericg also muss man das unter vim einfĂĽgen oder gibt es einen einfacheren Texteditor?
Da ich noch nicht wirklich gut bin mit vim. Habe damit zunächst erst einmal begonnen.
Da dieser vim unbändig viel an Möglichkeiten hat
It really doesn’t show me any. Otherwise I wouldn’t be asking that. What kind of nano are you using? Thank you for your support or both. The @ericg as well as you @JfmbLinux
Bei mir zeigt er wirklich keine an. Sonst wĂĽrde ich daher nicht so fragen. Was fĂĽr einen Nano benutzt du denn bitte ? Ich danke dir fĂĽr deine UnterstĂĽtzung oder beiden. Dem @ericg so wie dir @JfmbLinux