Bug 2305125
| Summary: | CVE-2024-39338 nextcloud: axios: Server-Side Request Forgery [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | nextcloud | Assignee: | Sergio Basto <sergio> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 40 | CC: | ichavero, sergio, zonexpertconsulting |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["3b7ef7c8-7482-4a26-8439-94eac53cc07c"]} | ||
| Fixed In Version: | nextcloud-29.0.5-3.fc42 nextcloud-29.0.6-1.el9 nextcloud-29.0.6-2.fc40 nextcloud-29.0.6-2.fc39 nextcloud-29.0.6-1.fc41 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-09-03 20:01:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2304369 | ||
|
Description
Patrick Del Bello
2024-08-15 13:17:34 UTC
FYI, I am denied access to the bug linked in the previous post. Note this CVE has been fixed yesterday in Nextcloud master branch: https://github.com/nextcloud/server/pull/47215 I expect this to be part of the next release, which should be soon. The relevant upstream fix (update Axios to 1.7.4) was not included in the latest Nextcloud 29.0.5 release from earlier this week. I have posted the question here, to verify the roadmap for Nextcloud 29: https://github.com/nextcloud/server/issues/47453 FEDORA-2024-6971446073 (nextcloud-29.0.5-3.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-6971446073 FEDORA-2024-6971446073 (nextcloud-29.0.5-3.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-bdac6de5ee (nextcloud-29.0.6-2.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-bdac6de5ee FEDORA-EPEL-2024-87852e6d70 (nextcloud-29.0.6-1.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-87852e6d70 FEDORA-2024-19e63ed69e (nextcloud-29.0.6-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-19e63ed69e FEDORA-2024-296a0db958 (nextcloud-29.0.6-2.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-296a0db958 FEDORA-2024-bdac6de5ee has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bdac6de5ee` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bdac6de5ee See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2024-87852e6d70 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-87852e6d70 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-296a0db958 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-296a0db958` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-296a0db958 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-19e63ed69e has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-19e63ed69e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-19e63ed69e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2024-87852e6d70 (nextcloud-29.0.6-1.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-296a0db958 (nextcloud-29.0.6-2.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-bdac6de5ee (nextcloud-29.0.6-2.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-19e63ed69e (nextcloud-29.0.6-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |