[Bug 1100343] New: VUL-1: CVE-2018-3762: nextcloud: Improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343 Bug ID: 1100343 Summary: VUL-1: CVE-2018-3762: nextcloud: Improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/209622/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: jsegitz@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2018-3762 Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. Factory is already fixed. No maintainer, would you be willing to take this one? References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3762 https://nextcloud.com/security/advisory/?id=nc-sa-2018-002 https://hackerone.com/reports/358339 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343#c1
Eric Schirra
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343#c2
--- Comment #2 from Eric Schirra
This also affected Leap 15.
Maintenance Request ist on the way.
https://build.opensuse.org/request/show/621280 (Leap_42.3) https://build.opensuse.org/request/show/621281 (Leap_15.0)
Sorry. It is not on the way. Where can i find a wiki entry wich is functional? I use https://en.opensuse.org/openSUSE:Maintenance_update_process. But it use the old Factory version. Or must i wait till factory request is done? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343#c5
--- Comment #5 from Johannes Segitz
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343#c6
--- Comment #6 from Eric Schirra
(In reply to Eric Schirra from comment #2) I don't follow. The article describes the process and https://build.opensuse.org/request/show/621287 looks fine. Why did you revoke it?
Because i have insert CVE and boo: So th old is: +- update to 13.0.4 + - Allow setting notify credentials in environment (server#9788) + - Make the token expiration also work for autocasting 0 + (server#9803) + - Enable caldav for webdav subtree public-calendars (server#9820) + And the new wich i would send to maintenace is: +- update to 13.0.4 + - Allow setting notify credentials in environment (server#9788) + - Make the token expiration also work for autocasting 0 + (server#9803) + - Enable caldav for webdav subtree public-calendars (server#9820) +- This also fix security issues: + - (boo#1100343, CVE-2018-3762) and (boo#1100344, CVE-2018-3761) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343
http://bugzilla.opensuse.org/show_bug.cgi?id=1100343#c8
Andreas Stieger
participants (1)
-
bugzilla_noreply@novell.com