[SECURITY] Fedora 34 Update: nextcloud-20.0.10-1.fc34

Thursday, 8 July 2021

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-eac0e52f88
2021-07-09 01:00:53.185856
--------------------------------------------------------------------------------

Name        : nextcloud
Product     : Fedora 34
Version     : 20.0.10
Release     : 1.fc34
URL         : http://nextcloud.com
Summary     : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

- Update to 20.0.10, fixes multiple CVEs (RHBZ 1934830, RHBZ 1934838, RHBZ
1934840, RHBZ 1977202) - Include php-fpm config in httpd subpackage - Set php
memory limit to 512MB (RHBZ 1933529) - Add Referrer-policy no-referrer to nginx
config (RHBZ 1933530)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 30 2021 Christopher Engelhard <ce(a)lcts.de&gt; - 20.0.10-1
- Update to 20.0.10, fixes multiple CVEs (RHBZ 1934830, RHBZ 1934838,
  RHBZ 1934840, RHBZ 1977202)
- Include php-fpm config in httpd subpackage
- Set php memory limit to 512MB (RHBZ 1933529)
- Add Referrer-policy no-referrer to nginx config (RHBZ 1933530)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1933529 - The PHP memory limit is below the recommended value of 512MB
        https://bugzilla.redhat.com/show_bug.cgi?id=1933529
  [ 2 ] Bug #1933530 - The ���Referrer-Policy��� HTTP header is not set to
���no-referrer���, ���no-referrer-when-downgrade���, ���strict-origin���,
���strict-origin-when-cross-origin��� or ���same-origin���
        https://bugzilla.redhat.com/show_bug.cgi?id=1933530
  [ 3 ] Bug #1934830 - CVE-2020-8296 nextcloud: Passwords stored in a recoverable format
[fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1934830
  [ 4 ] Bug #1934838 - CVE-2021-22878 nextcloud: Reflected cross-site scripting due to
lack of sanitization in `OC.Notification.show` [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1934838
  [ 5 ] Bug #1934840 - CVE-2021-22877 nextcloud: Stored credentials accessible by other
users [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1934840
  [ 6 ] Bug #1977202 - CVE-2021-22915 nextcloud: lack of inclusion of IPv6 subnets in
rate-limiting considerations allows brute force attacks [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1977202
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-eac0e52f88' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[SECURITY] Fedora 34 Update: nextcloud-20.0.10-1.fc34