control: tags -1 + moreinfo Hey,
thanks for your intial work in this bug. I added some more digging work into it that ends up with a lot of question marks... Do you know for sure, that the merge request #5560 fixes the CVE-2023-28999? At least I looked at the merge request and it is a very big one that touches 34 files (660 lines added/483 lines removed) and the commits have white space changes and add a new metadata version (1.2). Do we need this new metadata version in order to fix the CVE? In total this does not looks like just a bugfix but as a feature branch. It does not looks like, we can simply ship this big patch to bookworm/bullseye :( The commit that adds a new metadata version: https://github.com/nextcloud/desktop/pull/5560/commits/ 1b0a93eabc8f1322ef299cba3c4db81944c7d2c6 At least there are other merge requests that touches E2EE in Nextcloud Desktop: https://github.com/nextcloud/desktop/pull/5534 and than there are these new issues with 3.8.0 and EE2E, that scares me to back port additionally: https://github.com/nextcloud/desktop/issues/5564 Additionally it does not apply clean on the v3.7.3 - so more work needs to put into getting this into Debian. regards, hefee > The following vulnerability was published for nextcloud-desktop. > > CVE-2023-28999[0]: > | Nextcloud is an open-source productivity platform. In Nextcloud > | Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until > | 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server > | administrator can gain full access to an end-to-end encrypted folder. > | They can decrypt files, recover the folder structure and add new > | files.​ This issue is fixed in Nextcloud Desktop 3.8.0, > | Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known > | workarounds are available. > > https://github.com/nextcloud/security-advisories/security/advisories/GHSA-88 > 75-wxww-3rr8 https://github.com/nextcloud/desktop/pull/5560 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-28999 > https://www.cve.org/CVERecord?id=CVE-2023-28999 > > Please adjust the affected versions in the BTS as needed. > > _______________________________________________ > Pkg-owncloud-maintainers mailing list > pkg-owncloud-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-owncloud-mainta > iners
signature.asc
Description: This is a digitally signed message part.