Security update for nextcloud SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0083-1 Final 1 1 2023-04-03T14:24:07Z current 2023-04-03T14:24:07Z 2023-04-03T14:24:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud This update for nextcloud fixes the following issues: - Update to 23.0.12 See: https://nextcloud.com/changelog/#latest23 - This also fix security issues: - CVE-2022-35931: Password Policy app could generate passwords that would be block (boo#1203190) - CVE-2022-39346: Missing length validation of user displayname allows to generate an SQL error (boo#1205802) - CVE-2023-25579: Potential directory traversal in OC\Files\Node\Folder::getFullPath (boo#1208591) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-83 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M7E2FX5KGET4IYNWVYBLR7XYJMJ7SJD4/ E-Mail link for openSUSE-SU-2023:0083-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203190 SUSE Bug 1203190 https://bugzilla.suse.com/1205802 SUSE Bug 1205802 https://bugzilla.suse.com/1208591 SUSE Bug 1208591 https://www.suse.com/security/cve/CVE-2022-35931/ SUSE CVE CVE-2022-35931 page https://www.suse.com/security/cve/CVE-2022-39346/ SUSE CVE CVE-2022-39346 page https://www.suse.com/security/cve/CVE-2023-25579/ SUSE CVE CVE-2023-25579 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 nextcloud-23.0.12-bp154.2.3.1 nextcloud-apache-23.0.12-bp154.2.3.1 nextcloud-23.0.12-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 nextcloud-apache-23.0.12-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 nextcloud-23.0.12-bp154.2.3.1 as a component of openSUSE Leap 15.4 nextcloud-apache-23.0.12-bp154.2.3.1 as a component of openSUSE Leap 15.4 Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available. CVE-2022-35931 SUSE Package Hub 15 SP4:nextcloud-23.0.12-bp154.2.3.1 SUSE Package Hub 15 SP4:nextcloud-apache-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-apache-23.0.12-bp154.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M7E2FX5KGET4IYNWVYBLR7XYJMJ7SJD4/ https://www.suse.com/security/cve/CVE-2022-35931.html CVE-2022-35931 https://bugzilla.suse.com/1203190 SUSE Bug 1203190 Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue. CVE-2022-39346 SUSE Package Hub 15 SP4:nextcloud-23.0.12-bp154.2.3.1 SUSE Package Hub 15 SP4:nextcloud-apache-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-apache-23.0.12-bp154.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M7E2FX5KGET4IYNWVYBLR7XYJMJ7SJD4/ https://www.suse.com/security/cve/CVE-2022-39346.html CVE-2022-39346 https://bugzilla.suse.com/1205802 SUSE Bug 1205802 Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-25579 SUSE Package Hub 15 SP4:nextcloud-23.0.12-bp154.2.3.1 SUSE Package Hub 15 SP4:nextcloud-apache-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-23.0.12-bp154.2.3.1 openSUSE Leap 15.4:nextcloud-apache-23.0.12-bp154.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M7E2FX5KGET4IYNWVYBLR7XYJMJ7SJD4/ https://www.suse.com/security/cve/CVE-2023-25579.html CVE-2023-25579 https://bugzilla.suse.com/1208591 SUSE Bug 1208591