Maximilian Bosch 520b10453f nextcloud: 19.0.4 -> 19.0.6, 20.0.1 -> 20.0.3, mark v19 as insecure ... ChangeLogs: * https://nextcloud.com/changelog/#20-0-3 * https://nextcloud.com/changelog/#19-0-6 For Nextcloud 20, security advisories for CVE-2020-8259[1] & CVE-2020-8152[2] were published. The only way to fix those is to upgrade to v20, although v19 and v18 are supported, the issue won't be fixed there[3]. Even though both CVEs are only related to the encryption module[4] which is turned off by default, I decided to add a vulnerability note to `nextcloud19` since CVE-2020-8259's is rated as "High" by NIST (in contrast to Nextcloud which rates it as "Low"). If one is not affected by the issue, `nextcloud19` can still be used by declaring `permittedInsecurePackages`[5]. [1] https://nvd.nist.gov/vuln/detail/CVE-2020-8259, https://nextcloud.com/security/advisory/?id=NC-SA-2020-041 [2] https://nvd.nist.gov/vuln/detail/CVE-2020-8152, https://nextcloud.com/security/advisory/?id=NC-SA-2020-040 [3] https://help.nextcloud.com/t/fixes-for-cve-2020-8259-cve-2020-8152-in-nextcloud-18-19/98289 [4] https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_configuration.html [5] https://nixos.org/manual/nixpkgs/stable/#sec-allow-insecure Closes #106212		2020-12-11 12:39:57 +01:00
..
default.nix	nextcloud: 19.0.4 -> 19.0.6, 20.0.1 -> 20.0.3, mark v19 as insecure	2020-12-11 12:39:57 +01:00
news-updater.nix	treewide: Per RFC45, remove all unquoted URLs	2020-04-10 17:54:53 +01:00