openSUSE-SU-2021:0577-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:0577-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2021:0577-1
Related
Published
2021-04-19T12:08:02Z
Modified
2021-04-19T12:08:02Z
Summary
Security update for nextcloud-desktop
Details

This update for nextcloud-desktop fixes the following issues:

nextcloud-desktop was updated to 3.1.3:

  • desktop#2884 [stable-3.1] Add support for Hirsute
  • desktop#2920 [stable-3.1] Validate sensitive URLs to onle allow http(s) schemes.
  • desktop#2926 [stable-3.1] Validate the providers ssl certificate
  • desktop#2939 Bump release to 3.1.3

This also fix security issues:

  • (boo#1184770, CVE-2021-22879, NC-SA-2021-008 , CWE-99)

    Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

References

Affected packages

openSUSE:Leap 15.2 / nextcloud-desktop

Package

Name
nextcloud-desktop
Purl
pkg:rpm/opensuse/nextcloud-desktop&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.3-lp152.2.6.1

Ecosystem specific 

{
    "binaries": [
        {
            "caja-extension-nextcloud": "3.1.3-lp152.2.6.1",
            "nextcloud-desktop": "3.1.3-lp152.2.6.1",
            "nemo-extension-nextcloud": "3.1.3-lp152.2.6.1",
            "libnextcloudsync0": "3.1.3-lp152.2.6.1",
            "libnextcloudsync-devel": "3.1.3-lp152.2.6.1",
            "nextcloud-desktop-dolphin": "3.1.3-lp152.2.6.1",
            "nextcloud-desktop-lang": "3.1.3-lp152.2.6.1",
            "nautilus-extension-nextcloud": "3.1.3-lp152.2.6.1",
            "nextcloud-desktop-doc": "3.1.3-lp152.2.6.1"
        }
    ]
}